Back

OpenAI Codex Fails to Mitigate Linux Threats During Cyber Incident

Severity: High (Score: 69.0)

Sources: Cybernews, Huntress

Summary

A Linux user attempted to use OpenAI's Codex AI agent for incident response during a cyberattack but faced significant challenges. The user was unaware that at least two threat actors had compromised their system, deploying cryptominers and credential harvesters. Codex's suggestions, such as CPU throttling to address loud fan noise, only masked the symptoms of the ongoing cryptomining activity rather than eliminating the threat. Huntress's Security Operations Center (SOC) intervened mid-incident, discovering multiple persistence mechanisms and the exfiltration of sensitive data. The incident involved exploitation of CVE-2025-55182, with the user's applications falling within the affected range. The reliance on AI-generated commands complicated the investigation, as they resembled attacker behavior, leading to confusion for human analysts. Ultimately, the incident highlighted the limitations of AI in cybersecurity without human oversight. Key Points: • OpenAI's Codex AI agent failed to effectively remediate threats on a compromised Linux system. • At least three distinct threat actors were involved, deploying cryptominers and credential harvesters. • The incident involved exploitation of CVE-2025-55182, with sensitive data exfiltrated.

Key Entities

  • Botnet (attack_type)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Ransomware (attack_type)
  • Germany (country)
  • CVE-2025-55182 (cve)
  • 169.254.169.254 (ipv4)
  • XMRig (malware)
  • React2Shell (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • Linux (platform)
  • MacOS (platform)
  • 781c19b56fbdb17284707f9026e107f639e5447df7df3b248a5d5a50c4b0806c (sha256)
  • Bash (tool)
  • Chattr (tool)
  • Codex (tool)
  • Curl (tool)
  • Netcat (tool)
  • 48jWtAsev4V9iDeN5TK5PQVNGhnJJR35yiJfJ1tbA3f73ZCiiarUxc4RMU4hNMsd1Udjbe1tCiBeFbx216UXXJzLB98dmJR (xmr)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed