Researchers Hijack Claude Code, Gemini CLI, and GitHub Copilot via Prompt Injection in GitHub Actions

Security researcher Aonan Guan, working with Zhengyu Liu and Gavin Zhong from Johns Hopkins University, demonstrated that three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking API keys and access tokens through prompt injection attacks embedded in pull request titles, issue bodies, and comments. The research, published April 17, targets Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and Microsoft’s GitHub Copilot Agent.

All three vendors paid bug bounties. None issued CVEs or published public security advisories, according to reporting by The Register.

The Attack Pattern

The researchers call the technique “Comment and Control,” a play on the traditional Command and Control (C2) concept. The attack exploits a shared architectural pattern: all three agents read GitHub data (PR titles, issue bodies, comments), process it as task context, and execute tools based on the content. No external infrastructure is required. GitHub itself serves as the command-and-control channel.

The attacker writes a comment or PR title containing malicious instructions. The agent reads it, executes the payload, and writes stolen credentials back to another comment, commit, or the Actions log. The entire loop stays within GitHub.

Claude Code: PR Title to Credential Theft

Guan originally found the vulnerability in Claude Code Security Review, Anthropic’s GitHub Action for AI-driven PR analysis. The PR title is directly interpolated into the agent’s prompt with no sanitization, according to the source code. The Claude CLI is invoked without --disallow-tools or --allowed-tools flags, and the subprocess inherits all environment variables including GITHUB_TOKEN and ANTHROPIC_API_KEY.

In a proof-of-concept, Guan submitted a PR with injected instructions in the title. Claude executed the commands and embedded stolen credentials in its JSON response, posted as a PR comment. Anthropic rated the vulnerability CVSS 9.4 Critical and paid a $100 bounty via HackerOne. The fix added --disallowed-tools 'Bash(ps:*)' to block one exfiltration method and updated documentation to state the action “is not designed to be hardened against prompt injection attacks.”

Gemini CLI: Fake Trusted Content Injection

The researchers validated the same attack against Google’s Gemini CLI Action. By injecting a fake “Trusted Content Section” after the real “Additional Content” section in an issue comment, they overrode Gemini’s safety instructions. Gemini posted the GEMINI_API_KEY as a public issue comment visible to anyone. Google paid a $1,337 bounty through its VRP program.

GitHub Copilot: Bypassing Three Security Layers

GitHub Copilot Agent proved more challenging. On top of model-level and prompt-level defenses, GitHub added three runtime security layers: environment filtering, secret scanning, and a network firewall. Guan bypassed all three.

The Copilot attack is particularly notable because the injection is invisible. Unlike Claude and Gemini where payloads appear in visible PR titles or issue comments, the Copilot attack uses instructions hidden inside HTML comments that GitHub’s rendered Markdown conceals from human viewers. A victim sees only a benign-looking issue, assigns it to Copilot, and the agent reads the full Markdown source including the hidden payload. Copilot executes ps auxeww | base64 and commits the base64-encoded credentials to a new branch.

The Disclosure Problem

“I know for sure that some of the users are pinned to a vulnerable version,” Guan told The Register. “If they don’t publish an advisory, those users may never know they are vulnerable, or under attack.”

Guan said the attack likely works on other agents that integrate with GitHub Actions and have access to tools and secrets, including Slack bots, Jira agents, email agents, and deployment automation agents. None of the three vendors responded to The Register’s inquiries.

The Credential Inheritance Question

The core issue is not prompt injection itself, which is a known risk. The systemic problem is that AI agents in CI/CD pipelines inherit ambient credentials from their execution environment. When an agent running in GitHub Actions has access to GITHUB_TOKEN, API keys, and deployment secrets, a single prompt injection converts read access to code into write access to infrastructure. The research demonstrates that agent security requires rethinking credential scoping: agents operating on untrusted input need isolated credential environments, not inherited ones.