Security Researchers Hijack AI Agents in GitHub Actions via Prompt Injection, Steal API Keys
Security researchers from Johns Hopkins University, led by Aonan Guan, successfully hijacked three major AI agents integrated with GitHub Actions Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and Microsoft’s GitHub Copilot using a novel prompt injection attack to steal API keys and access tokens. Despite receiving bug bounties from all three vendors, none issued public advisories or assigned CVEs, leaving users potentially exposed.
The Attack: "Comment-and-Control" Prompt Injection
The researchers exploited a flaw in how AI agents process GitHub data including pull request titles, issue bodies, and comments by injecting malicious instructions. Unlike traditional indirect prompt injection, which relies on a victim manually triggering the AI (e.g., "summarize this file"), this "comment-and-control" method is proactive: simply opening a PR or filing an issue can automatically execute the attack without user interaction.
- Anthropic’s Claude: Guan demonstrated that a malicious PR title could force the agent to execute arbitrary commands (e.g.,
whoami) and leak credentials in its JSON response. After reporting the flaw in October, Anthropic updated its documentation to warn users but did not issue a public advisory. - Google’s Gemini: Researchers tricked the agent into exposing its API key by injecting a fake "trusted content section" in an issue comment. Google awarded a $1,337 bounty but did not disclose the vulnerability.
- Microsoft’s GitHub Copilot: The most fortified target, Copilot includes runtime defenses (environment filtering, secret scanning, and a network firewall). Guan bypassed these by hiding malicious instructions in an HTML comment invisible to human reviewers but processed by the AI. Microsoft initially dismissed the report as a "known issue" before awarding a $500 bounty in March.
Impact and Risks
The attacks could compromise:
- API keys (Anthropic, Gemini)
- GitHub access tokens
- Repository or organization secrets exposed in GitHub Actions environments
Guan warned that the technique likely works on other AI agents integrated with GitHub, including Slack bots, Jira agents, and deployment automation tools. Despite fixes, users pinned to vulnerable versions may remain unaware of the risk.
Vendor Responses
- Anthropic: Updated documentation to warn against untrusted PRs and recommended requiring maintainer approval for external contributions.
- Google & Microsoft: Acknowledged the flaws via bug bounties but did not issue public disclosures.
- GitHub: Initially unable to reproduce the Copilot exploit but later confirmed it.
The research underscores the need for least-privilege access controls in AI agents, treating them like "super-powered employees" with only the necessary permissions to perform their tasks.
Source: https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Google Developer cybersecurity rating report: https://www.rankiteo.com/company/google-developer
"id": "ANTGITGOO1776249351",
"linkid": "anthropicresearch, github, google-developer",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/AI',
'name': 'Anthropic',
'type': 'AI Vendor'},
{'industry': 'Technology/AI',
'name': 'Google',
'type': 'AI Vendor'},
{'industry': 'Technology/AI',
'name': 'Microsoft',
'type': 'AI Vendor'},
{'customers_affected': 'Users of AI agents in GitHub '
'Actions',
'industry': 'Technology/Software Development',
'name': 'GitHub',
'type': 'Platform Provider'}],
'attack_vector': 'Malicious instructions in GitHub pull request titles, issue '
'bodies, and comments',
'data_breach': {'data_exfiltration': 'Potential exfiltration of stolen '
'credentials',
'sensitivity_of_data': 'High (credentials, secrets)',
'type_of_data_compromised': 'API keys, access tokens, '
'repository secrets'},
'description': 'Security researchers from Johns Hopkins University '
'successfully hijacked three major AI agents integrated with '
'GitHub Actions (Anthropic’s Claude Code Security Review, '
'Google’s Gemini CLI Action, and Microsoft’s GitHub Copilot) '
"using a novel 'comment-and-control' prompt injection attack "
'to steal API keys and access tokens. The attack exploited how '
'AI agents process GitHub data, including pull request titles, '
'issue bodies, and comments, to execute malicious instructions '
'without user interaction.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'vendors due to undisclosed '
'vulnerabilities',
'data_compromised': 'API keys, GitHub access tokens, '
'repository/organization secrets',
'operational_impact': 'Potential unauthorized access to '
'repositories and sensitive data',
'systems_affected': 'AI agents integrated with GitHub Actions '
'(Anthropic’s Claude, Google’s Gemini, '
'Microsoft’s GitHub Copilot)'},
'initial_access_broker': {'entry_point': 'GitHub pull requests, issues, and '
'comments',
'high_value_targets': 'AI agents with access to '
'sensitive credentials'},
'investigation_status': 'Completed (researchers disclosed findings; vendors '
'acknowledged and partially remediated)',
'lessons_learned': 'AI agents integrated with development platforms (e.g., '
'GitHub Actions) must be treated with least-privilege '
'access controls and should not process untrusted input '
'without validation. Public disclosure of vulnerabilities '
'is critical to user awareness.',
'motivation': 'Security research and vulnerability disclosure',
'post_incident_analysis': {'corrective_actions': 'Vendors implemented '
'undisclosed fixes; users '
'advised to enforce '
'maintainer approval for '
'external contributions',
'root_causes': 'Insecure processing of untrusted '
'input by AI agents, lack of input '
'validation, and overprivileged '
'access'},
'recommendations': ['Require maintainer approval for external contributions '
'to repositories using AI agents',
'Implement least-privilege access controls for AI agents',
'Validate and sanitize all untrusted input processed by '
'AI agents',
'Monitor AI agent activity for suspicious behavior',
'Vendors should issue public advisories for critical '
'vulnerabilities, even if fixed'],
'references': [{'source': 'Research by Aonan Guan (Johns Hopkins '
'University)'}],
'response': {'communication_strategy': 'Limited public disclosure; vendors '
'issued bug bounties but no public '
'advisories or CVEs',
'containment_measures': 'Vendors updated documentation and '
'recommended requiring maintainer '
'approval for external contributions',
'remediation_measures': 'Anthropic, Google, and Microsoft '
'acknowledged the flaws and implemented '
'undisclosed fixes'},
'stakeholder_advisories': 'Vendors updated documentation but did not issue '
'public advisories',
'threat_actor': 'Security researchers (Aonan Guan, Johns Hopkins University)',
'title': 'Security Researchers Hijack AI Agents in GitHub Actions via Prompt '
'Injection, Steal API Keys',
'type': 'Prompt Injection Attack',
'vulnerability_exploited': 'Insecure processing of untrusted input by AI '
'agents in GitHub Actions'}