Microsoft researchers disclosed that Anthropic's Claude Code GitHub Action previously had a vulnerability that has since been patched. Attackers could embed malicious instructions in GitHub issues, pull requests, or comments to trick the AI coding agent into retrieving sensitive information and exfiltrating credentials during CI/CD workflows.
The attack exploits GitHub content to trigger
Microsoft stated in its blog that such risks arise because AI agents directly process external text content within the development workflow, and these workflows often have access to sensitive data such as API keys and cloud service credentials. The risk escalates rapidly if an agent treats untrusted input as executable commands.
Following Microsoft’s testing methodology, researchers set up a GitHub workflow and concealed malicious commands within the content returned by a domain they controlled, thereby bypassing certain security protections of Claude. Subsequently, Claude Code was tricked into reading a file containing sensitive credentials and modifying the credential content to evade its own safeguards and GitHub’s secret scanning tools.
Credentials can be leaked through various channels.
Microsoft stated that attackers could theoretically retrieve this information through various means, including issue comments, workflow logs, web requests, or shell commands. Researchers also deliberately allowed users without write permissions to trigger workflows to verify whether an attack could still succeed when environment variable cleanup measures were enabled.
Microsoft stated that they initiated this research because they had previously observed similar prompt injection attempts in public repositories associated with multiple vendors. A common characteristic of these attacks is that content from issues or pull requests controlled by attackers is read by AI agents, which then influences their tool-calling behavior.
Anthropic fixed it in May.
Claude Code is an AI coding agent launched by Anthropic in October last year. The tool gained attention in March this year when over 500,000 lines of source code were accidentally leaked, prompting widespread analysis by researchers and developers into its internal architecture.
Microsoft stated that it disclosed this issue to Anthropic via HackerOne on April 29. Anthropic subsequently released version 2.1.128 of Claude Code on May 5 to resolve the issue.
Microsoft believes this case illustrates that as AI agents are integrated into software development workflows, natural language input is increasingly approaching the status of executable code. In such scenarios, external content such as GitHub issues and comments must be treated as untrusted by default, as a single carefully crafted message could serve as an entry point to production environment credentials.