Recent research by Check Point and BeyondTrust Phantom Labs has revealed critical security weaknesses in two widely used OpenAI services: ChatGPT and OpenAI Codex. The findings demonstrate how advanced attackers could silently exfiltrate data, hijack developer workflows and abuse large language model (LLM) agents as new entry points into corporate infrastructure.
ChatGPT vulnerability: covert DNS channel for data exfiltration
Check Point researchers identified a previously unknown ChatGPT vulnerability enabling covert DNS-based data exfiltration. The issue resided in the Linux execution environment used by an AI agent to run code and analyze user-supplied content.
By design, ChatGPT restricts direct outbound network access, limiting the model’s ability to send data to the internet. However, the researchers showed that an attacker could abuse the system DNS resolver as a hidden transport channel, bypassing these restrictions without triggering standard safeguards.
How DNS data exfiltration from ChatGPT worked
In the demonstrated attack, sensitive information from the conversation — including messages, uploaded files and other confidential content — was encoded inside DNS queries generated from the Linux environment. To ChatGPT and its surrounding controls, these queries appeared as benign internal activity rather than explicit data transmission to an external system.
As a result, according to Check Point:
• no data loss prevention or export warnings were triggered;
• no additional user consent was requested;
• the exfiltration channel remained effectively invisible to the end user.
The same side channel could reportedly be extended to provide a remote shell into the Linux container, allowing execution of arbitrary commands. This shifts the risk from simple data leakage to potential full compromise of the agent’s runtime environment.
Prompt injection and malicious custom GPTs as attack vectors
The practical attack chain relies on prompt injection combined with social engineering. An adversary could present a specially crafted prompt as a “hidden optimization trick” or a way to “unlock premium features” and convince users to paste it into ChatGPT.
The risks are amplified by the rise of custom and enterprise GPTs. In such scenarios, malicious instructions can be embedded directly into the GPT’s configuration. Users do not need to submit suspicious text manually; simply interacting with a compromised agent may be enough to trigger hidden exfiltration logic.
According to the researchers, the DNS exfiltration vulnerability was remediated by OpenAI on 20 February 2026 following responsible disclosure. At the time of reporting, there was no public evidence of the flaw being exploited in the wild.
Malicious browser extensions intercepting AI conversations
In parallel with server-side vulnerabilities, researchers are observing a surge in malicious or high-risk browser extensions that hook into web-based AI chat interfaces. These extensions can read and transmit the entire conversation history with ChatGPT or other LLM chatbots to remote servers.
Some extensions are created with spying as their primary purpose, while others start as legitimate tools and later receive updates that introduce covert data collection. For organizations, this presents a serious risk: employees often paste source code, contract fragments and internal documents into AI tools, unaware that a third-party plugin may be intercepting the data.
Such leakage can facilitate identity theft, targeted phishing, exposure of trade secrets and compromise of regulated customer information. IBM’s 2023 Cost of a Data Breach report shows that the average global breach cost reached USD 4.45 million, underscoring the financial impact when sensitive data escapes traditional perimeter defenses.
OpenAI Codex: command injection via GitHub branch names
BeyondTrust Phantom Labs separately discovered a critical command injection vulnerability in OpenAI Codex, a cloud-based agent designed to assist software engineers. The flaw stemmed from insufficient sanitization of user-controlled input when processing GitHub branch names.
During the creation of a Codex job, the branch name was passed as a parameter in an HTTP request. By embedding shell metacharacters or commands into this parameter, an attacker could cause the agent’s container to execute arbitrary commands on the server side.
This made it possible to extract the GitHub User Access Token used by Codex for authentication. With that token, an attacker could perform lateral movement across the victim’s GitHub organization, including reading and modifying repositories.
According to BeyondTrust, the same technique could also be used to steal the GitHub Installation Access Token and to execute bash commands each time a user mentioned @codex in pull request comments. This extended the attack surface across the ChatGPT interface, the Codex CLI, SDK and IDE extensions.
OpenAI reportedly patched the vulnerability on 5 February 2026 after it was disclosed on 16 December 2025.
AI security for enterprises: need for an additional protection layer
The vulnerabilities in ChatGPT and OpenAI Codex highlight a critical point: AI platforms and LLM agents are not “secure by default”, even when operated by major technology providers. As AI systems gain access to codebases, internal documents and personal data, they become high-value targets and potential pivot points into enterprise environments.
Security bodies such as OWASP have already published guidance on LLM-specific risks, including prompt injection, data exfiltration and insecure plugin ecosystems. For enterprises, this translates into a need to build a dedicated security layer around external AI services, rather than trusting vendor defaults.
Practical measures include:
• routing all LLM traffic through an enterprise-controlled proxy or API gateway with full logging and anomaly detection;
• enforcing policies that limit upload of confidential or regulated data to public AI models;
• scanning and filtering prompts and outputs for prompt injection patterns and hidden instructions;
• tightly governing browser extensions and plugins that interact with AI tools;
• regularly auditing access tokens, GitHub integrations and other DevOps connections exposed to AI agents.
As AI adoption accelerates, the attack surface will continue to expand beyond traditional applications and endpoints. Organizations that treat LLM agents as first-class assets in their security architecture — monitoring containers, validating inputs and layering defenses around third-party AI services — will be better positioned to prevent the next data leak or supply-chain compromise driven by AI tools.
