A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining, residential proxy services, and bandwidth-selling components with eight different persistence mechanisms. Actor C, potentially affiliated with Actor B, executed mass data exfiltration of 15 categories including SSH keys, cloud credentials, and API tokens. The threat actors exploited CVE-2025-55182 (React2Shell) affecting Next.js and React applications. While Codex identified some threats, it lacked contextual awareness and privileged access needed for comprehensive incident response, creating additional noise that complicated SOC investigation. The endpoint was ultimately secured through managed EDR telemetry and expert SOC analysis.