What happened
OpenAI Codex's desktop client automatically fetched and rendered remote images referenced in Markdown output from the model. Because model output can be steered by indirect prompt injection from untrusted tool results, an attacker could cause Codex to build an image URL embedding secret data, exfiltrating it via the outbound image request.
Why it matters
This is a classic 'Markdown image exfiltration' pattern seen across many AI coding assistants and chat clients — it turns a UI convenience feature into a covert data-exfiltration channel triggered purely by content an agent reads, no code execution required, and is directly relevant to the growing class of indirect-prompt-injection attacks against widely-used AI coding agents.
Attack vector
The Codex desktop app rendered remote images from Markdown in model responses. An attacker able to place an indirect prompt injection in content processed by Codex (e.g. a connected-tool result or other untrusted source) could induce the model to construct a remote image URL that encodes sensitive session data, exfiltrating it to an attacker-controlled server when the image is fetched/rendered.
Affected systems
OpenAI Codex desktop app for macOS
Mitigation
Update to the patched OpenAI Codex desktop release per OpenAI's advisory; disable automatic remote image rendering from untrusted model output where possible.