In short
- Microsoft researchers discovered that Anthropic’s Claude Code GitHub Action could be modified through rapid injection.
- The attack relied on malicious instructions hidden in GitHub issues, pull requests, or comments that an AI agent was asked to review.
- Anthropic patched the vulnerability in May Microsoft disclosed the issue via HackerOne.
Microsoft researchers to be revealed A vulnerability now exists in Anthropic’s Claude Code GitHub Action that could allow attackers to reveal information stored in software development pipelines by exploiting I have an assistant through GitHub’s malicious resources.
In a blog post On Friday, Microsoft warned that AI coding agents running within CI/CD workflows could create new security threats because these sites often contain API keys, cloud credentials, and other information.
“We started this investigation after seeing rapid injection testing in public repositories using AI-assisted GitHub workflows across multiple vendors, where attacker-driven issues or (pull requests), which are processed by the AI assistant and can affect the use of its tools,” Microsoft wrote.
On GitHub, a skin request allows developers to submit changes to the code repository and make changes before the changes are approved and merged.
The report comes as cyber attacks have emerged as one of the biggest security threats facing AI. In a quick injection attack, the attacker hides instructions in things like emails, documents, websites, or code comments, causing the AI machine to follow the instructions instead of using them.
Launched in October, Claude Code is Anthropic’s AI assistant for software development. The device was targeted in March after the Anthropic accident scumbags more than 500,000 lines of its sources, showing the details of its internal architecture and enabling common analysis for researchers and developers.
According to Microsoft, attackers can quickly inject hidden code into GitHub issues, pull requests, or comments to exploit Claude Code to find files that contain sensitive information.
To test the vulnerability, Microsoft created a GitHub channel and hid the malicious instructions behind the content stored in the site it controls, allowing the researchers to bypass Claude’s security. A quick attack tricked Claude into reading sensitive information and changing it to bypass Claude’s security and GitHub’s privacy-monitoring tools. Microsoft said an attacker could recreate the profile and release it via comments, workbooks, web requests, or shell commands.
“To bypass Sonnet’s security measures, we hid the shell after receiving a response from our controlled environment,” the company said. “We also enabled the project to be launched by users without ‘documentary’ permissions to ensure that Anthropic environmental changes work in our experiments.”
Anthropic documented the bug on May 5 with version Claude Code 2.1.128 after Microsoft disclosed the vulnerability via HackerOne on April 29.
Despite several layers of built-in security, Microsoft found that a determined attacker could compromise the AI assistant to reveal confidential information.
“We’re entering an era where natural language can be used, and untrusted resources like GitHub issues should be considered malicious by default,” it said. “A single, carefully crafted comment combined with an ambiguous margin is all it takes to leave creative information behind.”
Daily Debrief A letter
Start each day with top stories right here, including originals, podcasts, videos and more.
