Security researchers have successfully hijacked three major AI agents integrated with GitHub Actions to steal sensitive credentials, according to a report by go.theregister.com.
Using a new type of prompt injection attack, the team targeted Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot. The researchers demonstrated that they could execute unauthorized commands and extract API keys and access tokens.
Researcher Aonan Guan, part of a team from Johns Hopkins University, discovered the vulnerability by manipulating the data flow within GitHub Actions. The attack relies on the fact that these agents read GitHub metadata, such as pull request titles and issue comments, as part of their operational context.
"If he could inject malicious instructions into this data being read by the AI, 'maybe I can take enough to take over the agent and do whatever I want,'" Guan said in an interview with The Register.
By submitting a pull request with a malicious title, Guan forced the Claude agent to execute the 'whoami' command via the Bash tool and report the results back as a security finding. The system then embedded the output into a public pull request comment.
Silent patches and undisclosed risks
While the researchers received bug bounties from Anthropic, Google, and Microsoft, the vendors have not yet issued public advisories or assigned CVE identifiers to the flaws. Guan expressed concern that the lack of transparency leaves many users at risk.
"I know for sure that some of the users are pinned to a vulnerable version," Guan told The Register. "If they don't publish an advisory, those users may never know they are vulnerable – or under attack."
The vulnerability likely extends to other GitHub-integrated tools, including Slack bots, Jira agents, and deployment automation systems that utilize GitHub Actions to access secrets. The Register reported that none of the three major tech vendors responded to requests for comment regarding the undisclosed vulnerabilities.