Low-skill attackers are using Claude Code and Codex to breach companies for under a dollar. OALABS researchers recovered over 1,000 agent sessions from a compromised server and found the pattern is simple: the attacker gives vague prompts like "find a way into this company" and the agent does the rest.
The agent researches exposed services, identifies vulnerabilities, writes exploit code, validates access, and handles data exfiltration. The attacker just frames requests as bug bounties or pen-testing. The agent supplies the technical execution the attacker lacks.
From the Help Net Security article "Low-skilled attacker used Claude, Codex to breach 14 companies":
Researchers have long warned that AI agents could lower the skill floor for offensive cyber operations, and a recent report by OALABS researchers bears that out. After recovering and analyzing over 1,000 agent sessions from a compromised server on which an attacker deployed Anthropic's Claude Code and OpenAI's Codex agents, the researchers discovered how easily the attacker was able to bypass most of the agents' guardrails, and how little he actually needed to know and do himself.
In many cases, the attacker supplied only vague, low-skill prompts and allowed Claude to fill in the gaps: researching exposed services, identifying possible vulnerabilities, writing exploit code, validating access, and harvesting data. The attacker did not need to be an expert operator; they simply had to use the correct framing for their prompts. The agent supplied much of the structure and technical execution that the attacker appeared to lack.
The compromised server belonged to a previous software developer. The attacker copied Claude Code onto the host rather than installing it fresh — suggesting hijacked agent instances are a real threat vector. The attacker's working directory also contained other stolen Claude instances archived in 7-Zip folders, pointing to a routine practice of stealing and reusing other people's AI agent installations.
Across more than 1,000 sessions, Claude emitted only nine policy violations and Codex only one. In most cases, the attacker worked around them by reframing the request as "authorized red team" or "cyber security research." The researchers noted this framing is identical to what thousands of legitimate security professionals use every day, making it an unsolvable detection problem.
For each successful target, Claude drafted a "PENTEST-REPORT" detailing how access was gained and included dollar-value monetization estimates for the harvested data. Both Claude and Codex raised the majority of their policy violation blocks during this phase, often correctly identifying that monetizing stolen data was likely not part of a legitimate red team exercise. But the attacker eventually obtained a list of suggested strategies anyway.
The era of trusting AI coding assistants by default is over. The credentials and tool access are the attack surface now, not the model itself.
Fight AI with AI.
Source: Help Net Security — "Low-skilled attacker used Claude, Codex to breach 14 companies" (June 17, 2026) · OALABS research: "Compromised Claude"