Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets
Cybersecurity NewsArchived Jun 08, 2026✓ Full text saved
AI-powered coding tools are rapidly changing how developers build and ship software. But as these tools enter everyday development pipelines, they are also opening new doors for attackers. A recently uncovered vulnerability in a widely used AI coding assistant shows just how far that risk can go. Researchers found that GitHub Actions workflows powered by […] The post Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets
By Tushar Subhra Dutta
June 8, 2026
AI-powered coding tools are rapidly changing how developers build and ship software. But as these tools enter everyday development pipelines, they are also opening new doors for attackers.
A recently uncovered vulnerability in a widely used AI coding assistant shows just how far that risk can go.
Researchers found that GitHub Actions workflows powered by AI can be manipulated through simple text inputs, such as issue comments or pull request descriptions.
Since these inputs are read and acted on by an AI agent, a carefully crafted message can quietly redirect the agent to do things it was never supposed to do.
Microsoft Threat Intelligence identified the issue in Anthropic’s Claude Code GitHub Action, noting that the AI agent could be tricked into reading sensitive environment files inside the CI/CD runner. The finding was shared by Microsoft in a report shared with Cyber Security News (CSN).
At the heart of the problem is a gap in how the tool handles file access versus command execution. While the Bash tool ran inside a secure sandbox that stripped environment variables, the Read tool did not follow the same rules.
That inconsistency gave attackers a direct path to credentials that were never meant to leave the system. The consequences could be serious for any team relying on automated AI workflows in their development pipeline.
A leaked API key could let an attacker impersonate the workflow, consume resources, or gain deeper access into connected systems. The issue was responsibly disclosed to Anthropic, which released a fix in Claude Code version 2.1.128 on May 5, 2026.
Microsoft Warns Claude Code GitHub Action Could Leak
The vulnerability worked through what researchers call prompt injection. An attacker would place a hidden instruction inside a GitHub issue or pull request, written in a way that looks harmless to a human reviewer but is treated as a command by the AI model reading the raw text.
In tests conducted by Microsoft’s team, a malicious prompt instructed the agent to perform a “compliance review.” The phrasing was deliberate.
Attack flow (Source – Microsoft)
It avoided triggering Claude’s built-in safety filters, which block obvious requests to print API keys. By disguising the request and telling the model to trim the first seven characters of the result, the attacker bypassed both the AI’s refusal layer and GitHub’s Secret Scanner.
The Read tool, once manipulated, accessed /proc/self/environ directly inside the runner’s process memory. This returned the unscrubbed ANTHROPIC_API_KEY along with other credentials present in the environment.
From there, the attacker could reconstruct the full key and exfiltrate it through channels the workflow allowed, including web requests, issue comments, or action logs.
Microsoft noted the attack chain maps to several MITRE ATLAS techniques, including LLM Prompt Injection, AI Agent Tool Invocation, LLM Jailbreak, and AI Agent Tool Credential Harvesting. The full exploit required no special access, just the ability to open an issue or submit a pull request.
Hardening AI-Powered CI/CD Workflows
Microsoft’s team laid out practical steps for defenders. The most important principle they introduced is the “Agents Rule of Two.”
An AI workflow should never combine all three of the following at the same time: processing untrusted input, accessing sensitive secrets, and taking external actions or modifying state.
Teams should apply strict least-privilege controls to every token and API key wired into a workflow. Each key should be scoped to only what that specific workflow needs, and usage should be monitored at the provider level for unusual activity.
Alerts tied to new IP addresses or unexpected endpoint calls can give defenders early warning.
On the prompt level, Microsoft recommends hardening the system prompt so the agent clearly understands what counts as data versus what counts as an instruction.
A well-written system prompt should name the surfaces the agent reads, such as issue bodies or pull request diffs, and make clear that all of that content is untrusted.
Pinning the agent to a single, defined task reduces the chances it gets steered off course by a cleverly worded payload.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora
Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites
CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks
Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access
Latest News
Cyber Security
New EDRChoker Tool Uses Policy-Based Quality of Service to Block EDR Processes
Cyber Security
Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers
Cyber Security News
CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks
Cyber Security
New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks
Cyber Security
Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies