Microsoft: Claude Code GitHub Action flaw may leak CI/CD secrets
Microsoft warned a prompt-injection flaw in Anthropic’s Claude Code GitHub Action could expose CI/CD credentials via malicious issues, pull requests or comments; Anthropic patched it May 5.
Microsoft researchers found a prompt-injection vulnerability in Anthropic’s Claude Code GitHub Action that could be used to expose credentials stored in continuous integration and delivery (CI/CD) pipelines. Microsoft disclosed the issue to Anthropic through HackerOne on April 29; Anthropic released a patch on May 5, updating the Action to version 2.1.128.
The flaw depended on attacker-controlled content placed in GitHub issues, pull requests or comments that the Claude Code agent was instructed to review. Those AI-assisted workflows often run with access to API keys, cloud credentials and deployment tokens. When the agent processed untrusted repository text, it could be manipulated into reading files that contained sensitive values.
To validate the risk, Microsoft researchers built a GitHub workflow that served malicious instructions from a domain under their control. That test allowed them to bypass Claude Code’s safety checks, read files with credentials, and alter the credentials in ways that avoided both the agent’s safeguards and GitHub’s secret-scanning tools. The researchers said reconstructed credentials could be exfiltrated through issue comments, workflow logs, web requests or shell commands.
In its report Microsoft explained it observed prompt-injection attempts in public repositories using AI-assisted GitHub workflows across multiple vendors. The company wrote, “We are entering an era where natural language is executable code, and untrusted inputs like GitHub issues must be treated as hostile by default.” Microsoft also noted researchers enabled workflow triggers from users without write permissions to ensure environment variable scrubbing was active during tests.
Claude Code was launched in October. In March, Anthropic accidentally published more than 500,000 lines of its source code, a separate disclosure that revealed internal implementation details. Anthropic’s May 5 update addressed the specific GitHub Action issue Microsoft reported. Microsoft’s findings describe a method that could be used to obtain secrets when AI agents process attacker-controlled content in development workflows.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
