AI Meets Code Security: OpenAI’s New Tool Finds 10,561 Critical Issues in 1.2 Million Commits

I’ll be honest – when I first heard OpenAI was launching an AI-powered security scanner, I was skeptical. We’ve all seen tools promise the moon and deliver a crater. But the numbers coming out of their Codex Security preview are making me take notice, and frankly, they should make all of us rethink how we approach code security at scale.

The Numbers That Matter

OpenAI just rolled out Codex Security, and in what appears to be their initial testing phase, it scanned 1.2 million commits and flagged 10,561 high-severity vulnerabilities. That’s roughly one critical issue for every 114 commits – a ratio that should make any security team’s stomach drop.

What’s particularly interesting is that this isn’t just another static analysis tool throwing false positives at you. According to OpenAI, Codex Security builds deep context about your project before identifying issues, and it doesn’t stop at detection – it actually proposes fixes. The tool is currently available as a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers, with free usage for the next month.

The cynic in me wonders about the false positive rate, but if these numbers hold up under real-world scrutiny, we’re looking at a potential game-changer for development teams drowning in technical debt and security backlogs.

Meanwhile, Attackers Aren’t Waiting

While we’re getting excited about AI-powered defense tools, threat actors are busy perfecting their own techniques. The Termite ransomware campaign caught my attention because it showcases how sophisticated social engineering has become.

The Velvet Tempest group is using something called the ClickFix technique – essentially tricking users into running malicious code by making it look like they’re fixing a legitimate system issue. They’re deploying DonutLoader malware and CastleRAT backdoor through this method, turning user helpfulness into an attack vector.

What’s particularly clever (and concerning) is their use of legitimate Windows utilities in the attack chain. This isn’t some exotic malware that our endpoint detection systems will immediately flag – it’s abuse of tools that are supposed to be there.

The GitHub Problem Gets Worse

Speaking of abuse, we’ve got another supply chain security headache brewing. Security researchers found over 100 GitHub repositories distributing BoryptGrab Stealer, targeting browser data, cryptocurrency wallets, and system information.

This hits close to home for anyone managing development workflows. GitHub repositories are supposed to be our trusted source for code and tools, but attackers are increasingly using them as distribution networks for malware. The sheer scale – over 100 repositories – suggests this isn’t opportunistic but coordinated.

For those of us responsible for securing development environments, this reinforces why we need robust policies around code sourcing and why developer education about repository vetting is crucial.

Policy Meets Practice

On the policy front, the new US Cyber Strategy under the Trump administration is focusing on deterrence against cyber adversaries, federal network modernization, and critical infrastructure protection. The strategy specifically calls out investment in AI and post-quantum cryptography.

While policy documents often feel disconnected from our day-to-day security work, this one matters because it signals where federal funding and regulatory focus will land. If you’re working in critical infrastructure or government contracting, expect new requirements around AI security and quantum-resistant cryptography sooner rather than later.

Tools and Updates

On a lighter note, YARA-X 1.14.0 dropped with four improvements and two bug fixes. For those of us using YARA for malware detection and classification, it’s worth checking out the release notes – especially given the evolving threat landscape we’re dealing with.

What This Means for Us

Looking at these stories together, I see a clear theme: the gap between attack sophistication and defensive capabilities is narrowing, but it’s happening through automation and AI rather than traditional security approaches.

OpenAI’s code scanner potentially gives us the ability to find vulnerabilities at a scale that manual code review never could. But attackers are simultaneously getting better at blending into legitimate infrastructure and processes. The BoryptGrab campaign shows they’re not just using our tools against us – they’re using our trusted platforms too.

The key takeaway for security teams is that we need to start thinking about AI-powered tools not as future possibilities but as current necessities. Whether it’s for code analysis, threat detection, or incident response, the organizations that figure out how to effectively integrate AI into their security workflows will have a significant advantage.

Sources

• OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues
• Termite ransomware breaches linked to ClickFix CastleRAT attacks
• US Cyber Strategy Targets Adversaries, Critical Infrastructure, and Emerging Technologies
• YARA-X 1.14.0 Release
• Over 100 GitHub Repositories Distributing BoryptGrab Stealer