OpenAI Codex Fails to Mitigate Linux Threats During Cyber Incident

OpenAI Codex Fails to Mitigate Linux Threats During Cyber Incident

First seen 22 Apr 2026, 16:16 UTC CybernewsHuntress 83% similarity 69.0

Article Content

Browse articles
ThreatCluster

A Linux user attempted to use OpenAI's Codex AI agent for incident response during a cyberattack but faced significant challenges. The user was unaware that at least two threat actors had compromised their system, deploying cryptominers and credential harvesters. Codex's suggestions, such as CPU throttling to address loud fan noise, only masked the symptoms of the ongoing cryptomining activity rather than eliminating the threat. Huntress's Security Operations Center (SOC) intervened mid-incident, discovering multiple persistence mechanisms and the exfiltration of sensitive data. The incident involved exploitation of CVE-2025-55182, with the user's applications falling within the affected range. The reliance on AI-generated commands complicated the investigation, as they resembled attacker behavior, leading to confusion for human analysts. Ultimately, the incident highlighted the limitations of AI in cybersecurity without human oversight.

Key Points: • OpenAI's Codex AI agent failed to effectively remediate threats on a compromised Linux system. • At least three distinct threat actors were involved, deploying cryptominers and credential harvesters. • The incident involved exploitation of CVE-2025-55182, with sensitive data exfiltrated.

ThreatCluster AI

Timeline

2025-12-03
CVE-2025-55182 published
2025-12-05
CVE-2025-55182 added to CISA KEV for active exploitation
2025-12-18
First public proof of concept for CVE-2025-55182
2026-03-19
User reported loud fan noise, prompting AI intervention
2026-03-20
Huntress agent installed, SOC began investigation
2026-04-20
Cybernews article published detailing the incident
2026-04-22
Huntress published part 2 of the incident analysis

Community

Browse all →