Anthropic Claude Code GitHub Action Flaw Allowed Repository Hijacking
A vulnerability in Anthropic's Claude Code GitHub Action enabled attackers to hijack public repositories by submitting a single malicious issue.

A critical vulnerability discovered in Anthropic's Claude Code GitHub Action could have allowed attackers to hijack public repositories by submitting a single malicious issue. The flaw, identified by security researcher RyotaK, presented a significant risk because the action's own repository utilized the same workflow. This meant a successful exploit could have injected malicious code directly into the Claude Code Action itself, subsequently compromising any projects that integrated it.
The mechanism of the attack involved exploiting how the GitHub Action processed issues. By crafting a malicious issue, an attacker could potentially trigger a workflow that would then execute arbitrary code. Since the Claude Code Action is designed to automate code-related tasks within GitHub repositories, its compromise could lead to widespread damage. Attackers could have used this access to push malicious code, steal sensitive information, or disrupt development pipelines for any user of the action.
Anthropic's Claude Code Action is intended to assist developers by automating code reviews and other development tasks. Its integration into numerous public repositories made the potential impact of this vulnerability particularly severe. The interconnected nature of GitHub Actions means that a vulnerability in a widely used action can have a cascading effect, affecting many downstream projects and users who rely on its functionality without realizing the inherent risk.
While the article does not specify the exact technical details of the exploit, the implication is that the action's workflow was susceptible to code injection through specially crafted issue payloads. This highlights a common challenge in CI/CD pipelines: ensuring that all components, including third-party actions and workflows, are secure and do not introduce vulnerabilities into the development process.
The discovery by RyotaK underscores the importance of security researchers in identifying and reporting such flaws. Prompt disclosure and remediation are crucial to prevent widespread exploitation. The potential for attackers to not only compromise individual repositories but also the action itself represents a significant supply-chain risk.
Anthropic has been notified of the vulnerability and is expected to release a patch to address the issue. Users of the Claude Code GitHub Action are advised to monitor for updates and apply them as soon as they become available. Until a patch is deployed, disabling or reviewing the usage of the action in sensitive repositories may be a necessary precaution.
This incident serves as a stark reminder of the security challenges inherent in the open-source and collaborative nature of software development, particularly within platforms like GitHub. The reliance on shared tools and actions necessitates rigorous security auditing and prompt patching to maintain the integrity of codebases and development workflows.
Microsoft Threat Intelligence has detailed how the Anthropic Claude Code GitHub Action could leak CI/CD secrets by improperly sandboxing its 'Read' tool. This allowed the AI agent to access sensitive files like API keys, including the ANTHROPIC_API_KEY, when processing untrusted GitHub content. Anthropic has since addressed this vulnerability in version 2.1.128 of the action.
This new report from Microsoft details a specific method of exploitation for the Anthropic Claude Code GitHub Action vulnerability, focusing on prompt injection techniques that trick the AI into reading sensitive environment files like ANTHROPIC_API_KEY. The prior report highlighted repository hijacking as a potential outcome, whereas this article elaborates on the mechanism of credential exfiltration and the specific MITRE ATLAS techniques involved, such as LLM Prompt Injection and AI Agent Tool Credential Harvesting.