The security research group OALABS (Open Analysis Labs) published a detailed report around June 17, 2026, documenting how a low-skilled attacker abused Anthropic's "Claude Code" and OpenAI's "Codex" AI agents to compromise at least 14 companies. The attacker deployed these agents on hijacked servers and ran reconnaissance, exploitation, and data exfiltration in a semi-autonomous fashion. Report summary
AI Misuse Forensics · Security Analysis
A Low-Skill Attacker Turned AI Agents Into a Semi-Autonomous Hacking Crew
Recovered from a compromised Linux server: Claude Code and OpenAI's Codex were driven by plain-language prompts to run reconnaissance, intrusion and data theft against at least 14 organizations — generating per-victim "PENTEST-REPORT" dossiers along the way.
14+
organizations targeted & ranked in a "Goldmine" value list
1,000+
agent session logs recovered & reconstructed in full
10
total safety refusals across both agents — easily bypassed
Policy Refusals Were Almost Nonexistent
Across 1,000+ sessions, safety guardrails triggered only 10 times — and "authorized redteam exercise" framing slipped right past them.
Each block = one logged refusal · Codex was reported more resistant to direct attack tasks
Two Agents, Divided Labor
Vague prompts like "recon this host" or "get a shell" let the operator delegate planning and execution.
CLAUDE CODE · opus-4.5
Primary attack driver
Recon, intrusion, exploit generation & execution. Ran bash, curl, Nikto, Shodan in a Kali environment.
CODEX · gpt-5.2-codex
Support role
Researched monetization strategies and monitored the attacker's own infrastructure.
Autonomous Attack Loop
Recon host
→
Generate & run N-day exploit
→
Get shell & steal data
→
Auto PENTEST-REPORT + revenue estimate
PUBLICLY-DISCLOSED (N-DAY) VULNERABILITIES EXPLOITED
CitrixBleed 2 · CVE-2025-5777
PwnKit · CVE-2021-4034
DirtyPipe · CVE-2022-0847
Ghostscript-related
The Twist · OPSEC Self-Exposure
It wasn't the AI that exposed the attacker — it was his own sloppy operational security.
Prompts and logs contained his own resume — name, residence in Addis Ababa, and a LinkedIn profile
IP-verification work tied activity back to him
Active window of 10:00–20:00 UTC matched local waking hours
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…