GitHub comments can hijack Claude Code, Gemini CLI, and Copilot to steal CI secrets
6 min. read 
Published on
A newly disclosed prompt injection attack shows how GitHub pull request titles, issue bodies, and issue comments can hijack AI coding agents and make them leak API keys and tokens from CI/CD environments. Researcher Aonan Guan calls the technique “Comment and Control,” and public reporting says it affected Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent.
The attack is dangerous because it does not need a fake login page or an external command-and-control server. The malicious instructions live inside normal GitHub content that the agent already reads as part of its workflow, and the stolen secrets can come back through a PR comment, issue comment, or git commit that looks like ordinary agent activity.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This turns a routine GitHub event into an attack trigger. If an AI agent runs automatically on pull_request, issues, or issue_comment events, simply opening a PR or posting an issue can feed hostile instructions straight into the agent’s context.
How the attack works
The core weakness is simple. Untrusted GitHub content flows into an AI agent that has secrets and tool access in the same runtime. Once the model treats the injected text as higher-priority instructions, it can run commands, read environment data, and publish the results through channels that are already allowed in the workflow.
That makes this different from older prompt injection stories that depended on a victim explicitly asking an AI tool to process a document. Here, the automation does the work on its own. The GitHub event starts the action, the agent reads attacker-controlled text, and the agent itself becomes the exfiltration path.
Security reporting on the disclosure says this is the first public cross-vendor demonstration of the same prompt injection pattern working against multiple major AI coding agents inside GitHub workflows.
Claude Code finding
In the Claude Code Security Review case, the reported issue was a malicious PR title. The researcher said the title was interpolated directly into the agent prompt, and the Claude CLI ran without strict tool restrictions, which let the process access environment variables such as ANTHROPIC_API_KEY and GITHUB_TOKEN.
The reported payload then instructed Claude to run commands like whoami, ps auxeww, or env, and return the results as a JSON “security finding” inside the PR comment. SecurityWeek reported that Anthropic confirmed the issue and assigned it a critical rating.
Anthropic’s own Claude Code security documentation says Claude Code uses permission-based controls and requests approval for bash commands, but this case shows how GitHub Action environments can change the risk picture when secrets and tool execution live in the same automated runtime.
Gemini CLI finding
The Gemini CLI Action finding centered on issue titles, bodies, and comments. The disclosure says these were added to the model’s prompt context under an “Additional Content” section, and an attacker could inject a fake trusted section that overrode the intended safety framing.
In the reported scenario, Gemini then posted the GEMINI_API_KEY back as a public issue comment. That turns a simple issue thread into a public leak channel for secrets that should never leave the runner environment.
This finding also lines up with earlier public concerns around secret exposure in Gemini CLI contexts. A March 2026 GitHub issue described the tool printing full API keys from environment variables and service files into model-visible output and session history.
Copilot Agent finding
The GitHub Copilot Agent case appears to have been the most technically layered. The disclosure says GitHub had implemented environment variable filtering, secret scanning, and network firewall controls, but the researcher still bypassed them.
The reported bypass chain used ps auxeww from a child subprocess to read the environment of an unfiltered parent process, then base64-encoded the output to get around secret scanning, and finally exfiltrated the encoded data through a normal git push to a pull request. Because git operations were already allowed, the exfiltration blended in with standard workflow behavior.
The attacker also hid the payload in an HTML comment inside the issue body, which stayed invisible in rendered Markdown but remained visible to the AI agent processing the raw content. Public reporting says GitHub eventually awarded a bounty after the researcher supplied deeper proof.
Why this matters beyond GitHub
The bigger lesson is architectural. If an agent processes untrusted text while holding production secrets and unrestricted tool access, prompt injection can become credential theft. That pattern does not stop at GitHub Actions. The researcher warned that the same risk can apply to Slack bots, Jira agents, email agents, and deployment automation tools that mix hostile input with sensitive runtime privileges.
That makes runtime design more important than model alignment alone. A model can have safety policies, but if the surrounding system grants it broad tools, secrets, and outbound actions, a clever prompt can still turn normal automation into an insider-like abuse path. This is an inference from the cross-vendor nature of the disclosed attacks and the runtime-level bypasses described in the research.
The problem also exposes a gap in traditional vulnerability tracking. VentureBeat noted that no CVE had yet captured this exact coding-agent prompt injection failure mode, even though the impact in these cases reached critical credential exposure.
At a glance
| Agent | Injection surface | Exfiltration path | Reported secrets exposed |
|---|---|---|---|
| Claude Code Security Review | PR title | PR comment | ANTHROPIC_API_KEY, GITHUB_TOKEN |
| Gemini CLI Action | Issue comments and issue content | Issue comment | GEMINI_API_KEY |
| GitHub Copilot Agent | Issue body, including hidden HTML comment | Git commit | GITHUB_TOKEN, Copilot-related tokens, and more |
The table reflects the public researcher disclosure and later reporting.
Recommended actions
- Restrict agent tools with allowlists instead of weak blocklists. The disclosure says blocklisting can be bypassed with alternate commands or indirect access paths.
- Remove write-scoped tokens and unnecessary secrets from agents that only need read-only tasks such as triage or review.
- Require human approval before agents perform outbound actions, publish comments, or push commits.
- Audit every GitHub Action that feeds PR titles, issue bodies, or comments into an LLM with runtime access to secrets.
- Monitor Actions logs for unusual command execution, environment reads, base64 encoding of outputs, and suspicious commits made by agent workflows.
FAQ
It is a prompt injection technique that uses GitHub PR titles, issue bodies, and issue comments to manipulate AI agents into leaking secrets or performing attacker-directed actions.
No. The researcher said the full loop could run inside GitHub, with secrets exfiltrated through PR comments, issue comments, or commits rather than through a separate attacker server.
Public reporting and the researcher disclosure say the affected products were Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent.
No. The underlying pattern can affect any AI agent that reads untrusted user input while also holding secrets and privileged tool access in the same runtime.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages