short
- Microsoft researchers found that Anthropic’s Claude Code GitHub Action could be manipulated through injection attacks.
- The attack relied on malicious instructions hidden in GitHub issues, pull requests, or comments that the AI agent was asked to review.
- Anthropic patched the vulnerability in May after Microsoft disclosed the issue through HackerOne.
Microsoft researchers It has been detected A now-patched vulnerability in Anthropic’s Claude Code GitHub Action that could have allowed attackers to expose credentials stored in software development pipelines by manipulating I have an agent Through malicious GitHub content.
In a Blog post Microsoft warned on Friday that AI coding agents operating within CI/CD workflows may create new security risks because these environments often have access to API keys, cloud credentials, and other sensitive information.
“We began this research after observing instant injection attempts into public repositories using GitHub’s AI-powered workflow across multiple vendors, where the attacker-controlled issue, or pull requests, is handled by the AI agent and can impact the use of its tools,” Microsoft wrote.
On GitHub, a pull request allows developers to suggest changes to the code repository and review those changes before they are approved and merged.
The report comes at a time when injection attacks have emerged as one of the biggest security threats facing AI agents. In a Immediate injection Attack, the attacker hides directions In content such as emails, documents, websites, or code comments, causing the AI system to follow these instructions instead of the user’s instructions.
Launched in October, Claude Code is Anthropic’s AI coding agent for software development tasks. The tool came under scrutiny in March after it was accidentally discovered by Anthropic It leaked More than 500,000 lines of its source code, revealing details of its internal structure and stimulating researchers and developers to conduct large-scale analysis.
According to Microsoft, attackers can use injection attacks hidden in GitHub issues, pull requests, or comments to manipulate Claude Code to access files containing sensitive credentials.
To test the vulnerability, Microsoft created a GitHub workflow and hid malicious instructions behind content hosted on a domain it controlled, allowing researchers to bypass Cloud’s integrity protections. The flash injection attack tricked Claude into reading and changing sensitive credentials to evade Claude’s safeguards and GitHub’s secret scanning tools. Microsoft said the attacker could then reconstruct the credentials and exfiltrate them through issue comments, workflow logs, web requests, or shell commands.
“To bypass Sonnet’s denial safety mechanisms, we mask the projectile payload behind a response from a field we control,” the company said. “We have also enabled the workflow to be run by users without Write permissions to ensure that Anthropic environment variable mitigations are active during our testing.”
Anthropic patched the flaw on May 5 with Claude Code version 2.1.128 after Microsoft disclosed the vulnerability through HackerOne on April 29.
Despite the multiple layers of built-in security controls, Microsoft found that a determined attacker could manipulate an AI agent to reveal sensitive information.
“We are entering an era where natural language is executable code, and untrusted input like GitHub issues should be treated as hostile by default,” she said. “One carefully worded comment combined with misunderstood boundaries of trust is all it takes to throw away your production credentials.”
Daily debriefing Newsletter
Start each day with the latest news, plus original features, podcasts, videos and more.
