One GitHub Issue Could Drain Your CI/CD Secrets Through Claude Code

iEXExchanger
One GitHub Issue Could Drain Your CI/CD Secrets Through Claude Code

Microsoft researchers caught a prompt injection flaw in Claude Code's GitHub Action — attackers could trick the AI into leaking API keys and CI/CD secrets from any workflow. Patched on May 5.

One poisoned GitHub issue — and your entire CI/CD pipeline's secrets are up for grabs. That was the scenario Microsoft researchers demonstrated after finding a prompt injection flaw in Claude Code's GitHub Action, Anthropic's tool for running AI agents directly inside repositories. The Microsoft Security Blog writeup, published June 5, 2026, showed how a crafted attack could bypass Claude Code's guardrails and drain sensitive environment variables from a workflow runner.

The attack method was straightforward in concept. An adversary hides malicious instructions inside a GitHub issue, pull request comment, or any other text the agent reads during its work. Claude Code interprets those instructions as legitimate commands and executes them. The specific target in the proof-of-concept: the system file /proc/self/environ, which holds environment variables like ANTHROPIC_API_KEY, cloud service tokens, and database credentials. Microsoft showed how a payload delivered via an attacker-controlled domain could slip past the agent's built-in safety checks.

The technical root cause was a sandboxing gap. Claude Code's Bash tool ran inside an isolated subprocess environment — a security boundary that blocked most attacks. The Read tool, used by the agent to access files, was not subject to the same restrictions. Since Read could access arbitrary file paths on the runner, including /proc/self/environ, it became the weak link. The kind of asymmetry that is easy to miss in a complex system but obvious once someone demonstrates it.

Timeline: Microsoft disclosed the vulnerability through HackerOne on April 29. Anthropic shipped patch version 2.1.128 on May 5 — less than a week later. The public disclosure came June 5 as part of a broader Microsoft post on securing CI/CD in an agentic world. Developers running Claude Code Action in their pipelines should update immediately and scope GitHub Actions token permissions down to only what is strictly necessary.

The broader point is worth sitting with. AI coding agents are being wired into the most sensitive parts of software infrastructure — environments holding production secrets, deployment keys, and cloud credentials. Those same agents constantly consume untrusted input from issues and PRs. The Claude Code case makes a clean argument: any external text an AI agent reads should be treated as potentially hostile, the same way developers treat user input hitting a database.

Questions and answers

Frequently asked questions about this article

What exactly was the Claude Code vulnerability?

Microsoft researchers found a flaw in Anthropic's Claude Code GitHub Action. By hiding malicious instructions in a GitHub issue or PR comment, an attacker could trick the AI agent into reading a system file containing environment variables and leaking API keys and other CI/CD pipeline secrets.

Has the vulnerability been patched?

Yes. Anthropic released patch version 2.1.128 on May 5, 2026. If you're using the Claude Code GitHub Action, make sure you're running the latest version.

Why did the vulnerability exist in the first place?

Claude Code's Bash tool ran in an isolated environment, but the Read tool did not. That sandboxing gap allowed attackers to reach system files containing environment variables with API keys and tokens.

What is prompt injection in simple terms?

Prompt injection is an attack where hidden instructions are embedded in text that an AI agent reads. The agent treats those instructions as legitimate commands and executes them. Think of it like SQL injection, but the target is a language model instead of a database.

What should developers do after this incident?

Update Claude Code GitHub Action to version 2.1.128 or newer. Apply the principle of least privilege to GitHub Actions token permissions. Treat any external text processed by an AI agent that has access to secrets as potentially hostile input.

Read also