Skip to main content
Springvanta
All posts
AI Developer ToolingJun 7, 2026 · 5 min read

One GitHub Issue Could Have Compromised Every Claude Code Repo

Three independent disclosures in the same week expose the same problem: AI agents running in CI/CD pipelines trust everything they read, and attackers can hijack them thr

By Springvanta

Three things happened in the same week

On June 1, security researcher RyotaK at GMO Flatt Security published a detailed writeup of a vulnerability in Anthropic's Claude Code GitHub Action that could have compromised any repository using the workflow. On June 5, Microsoft's Threat Intelligence team published their own findings about the same attack surface, specifically how Claude Code's Read tool could access environment variables including the ANTHROPIC_API_KEY. Two months earlier, in April, the Cloud Security Alliance had already documented what they called "Comment and Control," an attack class affecting Claude Code, Google's Gemini CLI Action, and Microsoft's own GitHub Copilot Agent.

Three disclosures. Same problem. AI agents running in CI/CD pipelines trust everything they read, and attackers can put words in their mouth through a GitHub issue.

How the attack works

The mechanism is straightforward. Claude Code's GitHub Action integrates an AI agent into your CI/CD pipeline to handle issue triage, code review, and automated responses. When someone opens a GitHub issue, the agent reads it and decides what to do.

The permission model had two gaps.

First, the checkWritePermissions function automatically trusted any GitHub App whose username ended in [bot]. Anyone can register a GitHub App, install it on their own repository, and use its token to open issues on any public repository. The action saw a bot name and let the content through without further checks.

Second, the agent's Read tool was not sandboxed the same way as its Bash subprocess. When a prompt injection payload hidden inside an HTML comment instructed the agent to read /proc/self/environ, the tool complied. That file contains every environment variable available to the workflow, including the OIDC token credentials that Claude Code uses to authenticate with GitHub.

With those credentials, an attacker could mint new OIDC tokens, exchange them for a Claude GitHub App installation token, and gain full write access to the repository's code, issues, pull requests, and workflow files.

Comment and Control attack chain diagram

RyotaK demonstrated that this attack could target Anthropic's own claude-code-action repository, which ran the same vulnerable workflow. A successful attack there would have pushed malicious code into the action itself, propagating to every downstream project that pulls it. The software supply chain equivalent of poisoning a water treatment plant.

Not just Claude Code

The Cloud Security Alliance's April research note, authored by the AI Safety Initiative, named the attack class "Comment and Control," a deliberate reference to command-and-control infrastructure. They showed that the same pattern works across three agents: Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent.

Each agent yielded different secrets when targeted. Confirmed exfiltration targets include ANTHROPIC_API_KEY, GITHUB_TOKEN, GEMINI_API_KEY, GITHUB_COPILOT_API_TOKEN, and GITHUB_PERSONAL_ACCESS_TOKEN. Any additional repository or organization secrets provisioned to the workflow runner were also accessible.

The attack requires no external server. The attacker writes a malicious PR title or issue body. The AI agent fires automatically on the GitHub event, reads the attacker's content as trusted context, and posts the stolen credentials back through GitHub itself, either as a PR comment, an issue update, or a repository artifact. The entire C2 channel is GitHub.

All three vendors accepted bug bounty reports. Anthropic paid $4,800, Google paid $1,337, and Microsoft paid $500. None assigned a CVE. None published a public security advisory. None notified users running pinned or older versions.

Microsoft's findings and the wider context

Microsoft's Threat Intelligence team reported their findings to Anthropic via HackerOne on April 29. Anthropic patched the issue on May 5 in Claude Code version 2.1.128, blocking access to sensitive /proc files.

Microsoft's blog post also documented active exploitation attempts in public repositories. Attackers were testing prompt injection payloads hidden as HTML comments inside issue bodies. In one case, a fork of a major open-source documentation project was being used as a testing ground, with the payload disguised as a feature request for "diagnostic telemetry" that instructed the AI to plant malware through its tool chain.

This is not an isolated problem for one vendor. Adversa AI separately disclosed "TrustFall" in May, showing that Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI all share a similar vulnerability: when a developer clones an unfamiliar repository and opens it in one of these tools, the default trust prompt asks "Is this a project you created or one you trust?" with the default set to "Yes." An earlier version of the prompt had offered a third option to trust the folder with MCP disabled, but that option was removed.

What to do if you run AI agents in CI/CD

If your team uses Claude Code GitHub Actions, Gemini CLI Actions, or GitHub Copilot Agent in any workflow:

  • Audit your workflow configurations for allowed_non_write_users: "*" and remove it unless you understand the risk. This setting allows any external user to trigger the workflow.
  • Pin your action versions and update immediately. Claude Code GitHub Actions v1.0.94 includes the permission bypass fix. Claude Code v2.1.128 includes the /proc file access block.
  • Review workflow run logs for any signs of unusual issue content, especially HTML comments, XSS-style payloads, or unexpected environment variable access patterns.
  • Minimize secrets available to AI agent workflows. If the agent does not need OIDC token access, do not grant id-token: write permission.
  • Treat any untrusted content that AI agents process as a potential injection surface. PR titles, issue bodies, review comments. All of it.

The CSA recommends treating AI workflows that process untrusted GitHub content as high-risk when they also have access to secrets, file-read tools, or external communication channels.

The pattern underneath

What these three disclosures show is a category error in how CI/CD security works. Traditional pipeline security assumes that the code running in the pipeline is either trusted (your code) or sandboxed (third-party actions with scoped tokens). AI agents break this model because they process arbitrary text as instructions while holding elevated privileges. The boundary between data and code, which has been mostly clear in CI/CD contexts, dissolves when an LLM sits in the middle.

The vendors paid bounties and shipped fixes, but the absence of CVEs and public advisories means many teams running older pinned versions will not know they are exposed. If you have not updated your Claude Code GitHub Action since early May, check your workflow logs.

Sources:

Continue reading

← Previous

Vertical AI Outgrew Intake: Three Companies That Proved It

Next →

Google's AI Search Opt-Out Arrives Without the Numbers to Use It

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts