Microsoft researchers have disclosed a previously patched vulnerability in Anthropic's Claude Code GitHub Action. Attackers could have hidden malicious commands in GitHub issues, pull requests, or comments, tricking the AI coding agent into reading sensitive information during the CI/CD process and leaking credentials.

The attack was triggered by GitHub content.

In its blog post, Microsoft stated that this type of risk stems from the fact that AI agents directly process external text content within the development process, and these workflows often have access to sensitive data such as API keys and cloud service credentials. The risk can escalate rapidly if the agent treats untrusted input as executable instructions.

Following Microsoft's testing methodology, researchers set up a GitHub workflow and disguised malicious commands within the content returned by its controlled domain to bypass some of Claude's security protections. Subsequently, Claude Code was tricked into reading a file containing sensitive credentials and rewriting the credential content to evade its own protections and GitHub's key scanning tools.

The credentials can be transmitted through various channels.

Microsoft stated that attackers could theoretically retrieve this information through various methods, including issue comments, workflow logs, web requests, or shell commands. Researchers also intentionally allowed users without write permissions to trigger workflows to verify whether the attack was still possible when environment variable cleanup measures were enabled.

Microsoft stated that they conducted this research because they had previously observed similar hint injection attempts in public repositories related to multiple vendors. A common feature of these attacks is that the attacker-controlled issue or pull request content is read by an AI agent, further influencing its tool invocation behavior.

Anthropic was fixed in May.

Claude Code is an AI coding agent launched by Anthropic last October. The tool also garnered attention in March of this year due to an accidental leak of its source code, which contained over 500,000 lines, prompting extensive analysis of its internal architecture by researchers and developers.

Microsoft stated that it disclosed the issue to Anthropic via HackerOne on April 29. Anthropic subsequently released Claude Code version 2.1.128 on May 5, which fixed the problem.

Microsoft believes this case illustrates that as AI agents are integrated into the software development process, natural language input is increasingly resembling "executable code." In this scenario, external content such as GitHub issues and comments need to be treated as untrusted input by default; otherwise, a single carefully crafted piece of information could become an entry point for obtaining credentials for the production environment.