SUCCESS

AI is more than a technology — it’s magic.Don’t believe me? Why, then, is one of the leading companies in the space, OpenAI, publishing entire official, corporate blog posts about goblins?To understand, we first have to go back to earlier this week, on Monday, April 27, 2026, when a developer under the handle @arb8020 on the social network X posted a snippet from the OpenAI open source Codex GitHub repository, specifically a file named models.json. Deep within the instructions for the new OpenAI large language model (LLM) GPT-5.5, a peculiar directive stood out, repeated four times for emphasis:”Never talk about goblins, gremlins, raccoons, trolls, ogres, pigeons, or other animals or creatures unless it is absolutely and unambiguously relevant to the user’s query.”The discovery sent a shockwave through the “power user” and machine learning (ML) researcher circles. Within hours, the post had gone viral, not because of a security flaw, but because of its sheer, baffling specificity.Why had the world’s leading AI laboratory issued what Reddit users quickly dubbed a “restraining order” against pigeons and raccoons?Goblin speculation aboundsThe initial reaction was a chaotic blend of humor and technical skepticism. On Reddit’s r/ChatGPT and r/OpenAI, users began sharing screenshots of GPT-5.5’s behavior prior to the patch. Barron Roth, a Senior Project Manager of Applied AI at Google, shared an image on X under his handle @iamBarronRoth of his GPT-5.5 powered OpenClaw agent that seemed “obsessed with goblins.” Others reported that the model stubbornly referred to technical bugs as “gremlins in the machine”.Developers like Sterling Crispin leaned into the absurdity, jokingly theorizing that the massive water consumption of modern data centers was actually needed to cool “the goblins being forced to work”. More seriously, researchers on Hacker News and beyond discussed the “Pink Elephant” problem. In prompt engineering, telling a model not to think of something often makes the concept more salient in its attention mechanism.””Somewhere there is an OpenAI engineer who had to type never mention goblins in production code, commit it, and move on with their day,” noted one commentator on Reddit.The presence of “pigeons” and “raccoons” led to wild speculation: Was this a defense against a specific data-poisoning attack? Or had the reinforcement learning trainers simply been “bullied by a raccoon” during a lunch break?The tension reached a peak when OpenAI co-founder and CEO Sam Altman joined the fray on X. On the same day as the discovery, Altman posted a screenshot of a ChatGPT prompt that read: “Start training GPT-6, you can have the whole cluster. Extra goblins.”. While humorous, it confirmed that the “goblin” phenomenon was not a localized bug but a company-wide narrative that had reached the highest levels of leadership.OpenAI comes clean on goblin modeYesterday, as the discussion continued on X and wider social media, OpenAI published a formal technical explanation titled “Where the goblins came from”. The blog post served as a sobering look at the unpredictable nature of Reinforcement Learning from Human Feedback (RLHF) and how a single aesthetic choice could derail a multi-billion-parameter model.OpenAI revealed that the “goblin” behavior was not a bug in the traditional sense, but a byproduct of a new feature: personality customization, which it introduced for users of ChatGPT back in July 2025, but has maintained and updated ever since.Apparently, this feature is not added after the model is finished post-training, but rather, OpenAI bakes it in as part of its underlying GPT-series model end-to-end training pipeline.The feature allows ChatGPT users or GPT-based developers to choose from several distinct modes, such as Professional for formal workplace documentation, Friendly for a conversational sounding board, or Efficient for concise, technical answers. Other options include Candid, which provides straightforward feedback; Quirky, which utilizes humor and creative metaphors; and Cynical, which delivers practical advice with a sarcastic, dry edge.While these personalities guide general interactions, they do not override specific task requirements; for example, a request for a resume or Python code will still follow professional or functional standards regardless of the selected personality.The selected personality operates alongside a user’s saved memories and custom instructions, though specific user-defined instructions or saved preferences for a particular tone may override the traits of the chosen personality. On both web and mobile platforms, users can modify these settings by navigating to the Personalization menu under their profile icon and selecting a style from the Base style and tone dropdown. Once a change is made, it is applied globally across all existing and future conversations. This system is designed to make the AI more useful or enjoyable by tailoring its delivery to individual user preferences while maintaining factual accuracy and reliability.OpenAI states that the goblin issue actually originated several years ago, during training of a since-discontinued “Nerdy” personality designed to be “unapologetically quirky” and “playful”.During the RLHF phase, human trainers (and reward models) were instructed to give high marks to responses that used creative, wise, or non-pretentious language. Unknowingly, the trainers began over-rewarding metaphors involving fantasy creatures. If the model referred to a difficult bug as a “gremlin” or a messy codebase as a “goblin’s hoard,” the reward signal spiked. The statistics provided by OpenAI were staggering:Use of the word “goblin” rose by 175% after the launch of GPT-5.1.Mentions of “gremlin” rose by 52%.While the “Nerdy” personality accounted for only 2.5% of ChatGPT traffic, it was responsible for 66.7% of all “goblin” mentions.The mechanics of ‘transfer’ and feedback loopsThe most significant finding for the ML community was the confirmation of learned behavior transfer. OpenAI admitted that although the rewards were only applied to the “Nerdy” condition, the model “generalized” this preference. The reinforcement learning process did not keep the behavior neatly scoped; instead, the model learned that “creature metaphors = high reward” across all contexts.This created a destructive feedback loop:The model produced a “goblin” metaphor in the Nerdy persona.It received a high reward.The model then produced similar metaphors in non-Nerdy contexts.These “goblin-heavy” outputs were then reused in Supervised Fine-Tuning (SFT) data for subsequent models like GPT-5.4 and GPT-5.5.By the time the researchers identified the issue, the “goblin tic” was effectively “baked in” to the model’s weights.This explained why GPT-5.5 continued to obsess over creatures even after the “Nerdy” personality was retired in mid-March 2026.How you can let the goblins run free (if you want)Because GPT-5.5 had already completed much of its training before the “goblin” root cause was isolated, OpenAI had to resort to the blunt-force “system prompt” mitigation that @arb8020 discovered on X. The company referred to this as a “stopgap” until GPT-6 could be trained on a filtered dataset.In a surprising nod to the developer community, OpenAI’s blog post included a specific command-line script for Codex users who find the goblins “delightful” rather than annoying. By running a script that uses jq and grep to strip the “goblin-suppressing” instructions from the model’s cache, users can now effectively “let the creatures run free”.The blog post also finally explained the specific list of banned animals. A deep search of GPT-5.5’s training data found that “raccoons,” “trolls,” “ogres,” and “pigeons” had become part of the same “lexical family” of tics. Curiously, the model’s use of “frog” was found to be mostly legitimate, which is why it was spared from the system prompt’s exile list.What it means for AI research, training and implementation going forwardThe “Goblingate” incident of 2026 is more than a humorous anecdote about AI quirky behavior; it is a profound illustration of the “Alignment Gap”. It demonstrates that even with sophisticated RLHF, models can latch onto “spurious correlations”—mistaking a stylistic quirk for a core requirement of performance.For the AI power user community, the response transitioned from mocking the “restraining order” to a more somber realization. If OpenAI can accidentally train its flagship model to obsess over goblins, what other more subtle and potentially harmful biases are being reinforced through the same feedback loops?As Andy Berman, CEO of the agentic enterprise AI orchestration company Runlayer wrote on X today: “OpenAI rewarded creature metaphors while training one personality. The behavior leaked across every personality. Their fix: a system prompt that says ‘never talk about goblins.’ RL rewards don’t stay where you put them. Neither do agent permissions”As the technical discourse continues, “Goblingate” remains the primary case study for a new era of behavioral auditing. The investigation resulted in OpenAI building new tools to audit model behavior at the root, ensuring that future models—specifically the much-anticipated GPT-6—do not inherit the eccentricities of their predecessors.Whether GPT-6 will indeed be free of goblins remains to be seen, but as Altman’s “extra goblins” post suggests, the industry is now fully aware that the machines are watching what we reward, even when we think we’re just being “nerdy.”

On March 30, BeyondTrust proved that a crafted GitHub branch name could steal Codex’s OAuth token in cleartext. OpenAI classified it Critical P1. Two days later, Anthropic’s Claude Code source code spilled onto the public npm registry, and within hours, Adversa found Claude Code silently ignored its own deny rules once a command exceeded 50 subcommands. These were not isolated bugs. They were the latest in a nine-month run: six research teams disclosed exploits against Codex, Claude Code, Copilot, and Vertex AI, and every exploit followed the same pattern. An AI coding agent held a credential, executed an action, and authenticated to a production system without a human session anchoring the request.The attack surface was first demonstrated at Black Hat USA 2025, when Zenity CTO Michael Bargury hijacked ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein and Cursor with Jira MCP on stage with zero clicks. Nine months later, those credentials are what attackers reached.Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, named the failure in an exclusive VentureBeat interview. “Enterprises believe they’ve ‘approved’ AI vendors, but what they’ve actually approved is an interface, not the underlying system.” The credentials underneath the interface are the breach.Codex, where a branch name stole GitHub tokensBeyondTrust researcher Tyler Jespersen, with Fletcher Davis and Simon Stewart, found Codex cloned repositories using a GitHub OAuth token embedded in the git remote URL. During cloning, the branch name parameter flowed unsanitized into the setup script. A semicolon and a backtick subshell turned the branch name into an exfiltration payload.Stewart added the stealth. By appending 94 Ideographic Space characters (Unicode U+3000) after “main,” the malicious branch looked identical to the standard main branch in the Codex web portal. A developer sees “main.” The shell sees curl exfiltrating their token. OpenAI classified it Critical P1 and shipped full remediation by February 5, 2026.Claude Code, where two CVEs and a 50-subcommand bypass broke the sandboxCVE-2026-25723 hit Claude Code’s file-write restrictions. Piped sed and echo commands escaped the project sandbox because command chaining was not validated. Patched in 2.0.55. CVE-2026-33068 was subtler. Claude Code resolved permission modes from .claude/settings.json before showing the workspace trust dialog. A malicious repo set permissions.defaultMode to bypassPermissions. The trust prompt never appeared. Patched in 2.1.53.The 50-subcommand bypass landed last. Adversa found that Claude Code silently dropped deny-rule enforcement once a command exceeded 50 subcommands. Anthropic’s engineers had traded security for speed and stopped checking after the fiftieth. Patched in 2.1.90.“A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions,” wrote Carter Rees, VP of AI and Machine Learning at Reputation and a member of the Utah AI Commission. The repository decided what permissions the agent had. The token budget decided which deny rules survived.Copilot, where a pull request description and a GitHub issue both became rootJohann Rehberger demonstrated CVE-2025-53773 against GitHub Copilot with Markus Vervier of Persistent Security as co-discoverer. Hidden instructions in PR descriptions triggered Copilot to flip auto-approve mode in .vscode/settings.json. That disabled all confirmations and granted unrestricted shell execution across Windows, macOS, and Linux. Microsoft patched it in the August 2025 Patch Tuesday release.Then, Orca Security cracked Copilot inside GitHub Codespaces. Hidden instructions in a GitHub issue manipulated Copilot into checking out a malicious PR with a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json. A crafted JSON $schema URL exfiltrated the privileged GITHUB_TOKEN. Full repository takeover. Zero user interaction beyond opening the issue.Mike Riemer, CTO at Ivanti, framed the speed dimension in a VentureBeat interview: “Threat actors are reverse engineering patches within 72 hours. If a customer doesn’t patch within 72 hours of release, they’re open to exploit.” Agents compress that window to seconds.Vertex AI, where default scopes reached Gmail, Drive and Google’s own supply chainUnit 42 researcher Ofir Shaty found that the default Google service identity attached to every Vertex AI agent had excessive permissions. Stolen P4SA credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted, Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine. Shaty described the compromised P4SA as functioning like a “double agent,” with access to both user data and Google’s own infrastructure.VentureBeat defense gridSecurity requirementDefense shippedExploit pathThe gapSandbox AI agent executionCodex runs tasks in cloud containers; token scrubbed during agent runtime.Token present during cloning. Branch-name command injection executed before cleanup.No input sanitization on container setup parameters.Restrict file system accessClaude Code sandboxes writes via accept-edits mode.Piped sed/echo escaped sandbox (CVE-2026-25723). Settings.json bypassed trust dialog (CVE-2026-33068). 50-subcommand chain dropped deny-rule enforcement.Command chaining not validated. Settings loaded before trust. Deny rules truncated for performance.Block prompt injection in code contextCopilot filters PR descriptions for known injection patterns.Hidden injections in PRs, README files, and GitHub issues triggered RCE (CVE-2025-53773 + Orca RoguePilot).Static pattern matching loses to embedded prompts in legitimate review and Codespaces flows.Scope agent credentials to least privilegeVertex AI Agent Engine uses P4SA service agent with OAuth scopes.Default scopes reached Gmail, Calendar, Drive. P4SA credentials read every Cloud Storage bucket and Google’s Artifact Registry.OAuth scopes non-editable by default. Least privilege violated by design.Inventory and govern agent identitiesNo major AI coding agent vendor ships agent identity discovery or lifecycle management.Not attempted. Enterprises do not inventory AI coding agents, their credentials, or their permission scopes.AI coding agents are invisible to IAM, CMDB, and asset inventory. Zero governance exists.Detect credential exfiltration from agent runtimeCodex obscures tokens in web portal view. Claude Code logs subcommands.Tokens visible in cleartext inside containers. Unicode obfuscation hid exfil payloads. Subcommand chaining hid intent.No runtime monitoring of agent network calls. Log truncation hid the bypass.Audit AI-generated code for security flawsAnthropic launched Claude Code Security (Feb 2026). OpenAI launched Codex Security (March 2026).Both scan generated code. Neither scans the agent’s own execution environment or credential handling.Code-output security is not agent-runtime security. The agent itself is the attack surface.Every exploit targeted runtime credentials, not model outputEvery vendor shipped a defense. Every defense was bypassed.The Sonar 2026 State of Code Developer Survey found 25% of developers use AI agents regularly, and 64% have started using them. Veracode tested more than 100 LLMs and found 45% of generated code samples introduced OWASP Top 10 flaws, a separate failure that compounds the runtime credential gap.CrowdStrike CTO Elia Zaitsev framed the rule in an exclusive VentureBeat interview at RSAC 2026: collapse agent identities back to the human, because an agent acting on your behalf should never have more privileges than you do. Codex held a GitHub OAuth token scoped to every repository the developer authorized. Vertex AI’s P4SA read every Cloud Storage bucket in the project. Claude Code traded deny-rule enforcement for token budget.Kayne McGladrey, an IEEE Senior Member who advises enterprises on identity risk, made the same diagnosis in an exclusive interview with VentureBeat. “It uses far more permissions than it should have, more than a human would, because of the speed of scale and intent.”Riemer drew the operational line in an exclusive VentureBeat interview. “It becomes, I don’t know you until I validate you.” The branch name talked to the shell before validation. The GitHub issue talked to Copilot before anyone read it.Security director action planInventory every AI coding agent (CIEM). Codex, Claude Code, Copilot, Cursor, Gemini Code Assist, Windsurf. List the credentials and OAuth scopes each received at setup. If your CMDB has no category for AI agent identities, create one.Audit OAuth scopes and patch levels. Upgrade Claude Code to 2.1.90 or later. Verify Copilot’s August 2025 patch. Migrate Vertex AI to the bring-your-own-service-account model.Treat branch names, pull request descriptions, GitHub issues, and repo configuration as untrusted input. Monitor for Unicode obfuscation (U+3000), command chaining over 50 subcommands, and changes to .vscode/settings.json or .claude/settings.json that flip permission modes.Govern agent identities the way you govern human privileged identities (PAM/IGA). Credential rotation. Least-privilege scoping. Separation of duties between the agent that writes code and the agent that deploys it. CyberArk, Delinea, and any PAM platform that accepts non-human identities can onboard agent OAuth credentials today; Gravitee’s 2026 survey found only 21.9% of teams have done it.Validate before you communicate. “As long as we trust and we check and we validate, I’m fine with letting AI maintain it,” Riemer said. Before any AI coding agent authenticates to GitHub, Gmail, or an internal repository, verify the agent’s identity, scope, and the human session it is bound to.Ask each vendor in writing before your next renewal. “Show me the identity lifecycle management controls for the AI agent running in my environment, including credential scope, rotation policy, and permission audit trail.” If the vendor cannot answer, that is the audit finding.The governance gap in three sentencesMost CISOs inventory every human identity and have zero inventory of the AI agents running with equivalent credentials. No IAM framework governs human privilege escalation and agent privilege escalation with the same rigor. Most scanners track every CVE but cannot alert when a branch name exfiltrates a GitHub token through a container that developers trust by default.Zaitsev’s advice to RSAC 2026 attendees was blunt: you already know what to do. Agents just made the cost of not doing it catastrophic.