Claude Code GitHub Action leaks CI/CD secrets via prompt injection and unrestricted file read
Microsoft Threat Intelligence disclosed that Anthropic's Claude Code GitHub Action could expose workflow secrets when AI agents process untrusted GitHub content, including environment variables accessible via /proc/self/environ, mitigated in version 2.1.128.
Attack Brief
TargetAnthropic Claude Code GitHub Action; CI/CD workflows using AI-assisted automationVectorPrompt injection via untrusted GitHub content (issue bodies, pull request descriptions, comments) combined with unrestricted file-read tool access to sensitive /proc files containing workflow secretsAttributionresearcher disclosure
Technical Details
MITRE ATT&CKT1021.004T1552.001T1059.004IoCs/proc/self/environANTHROPIC_API_KEYAffectedClaude Code GitHub Action versions prior to 2.1.128
Impact
Confirmed DamageExposure of workflow secrets including ANTHROPIC_API_KEY and other credentials available to GitHub Actions runners; potential for supply-chain compromise via malicious pull requests injected with XSS payloads
Mitigation
PatchesClaude Code version 2.1.128 or later (blocks access to sensitive /proc files)WorkaroundsTreat AI workflows processing untrusted GitHub content as high-risk when they have access to secrets, file-read tools, or external communication channels; implement external oversight and approval gates for AI-generated pull requests; restrict AI agent tool permissions to exclude file-read capabilities on sensitive paths
Context
Similar AttacksPrompt injection attempts observed in public repositories using AI-assisted GitHub workflows from multiple vendors; XSS injection via issue triage workflows in forks of major open-source projects designed to test payloads before exploitation