AI-powered coding tools are rapidly changing how developers build and ship software. But as these tools enter everyday development pipelines, they are also opening new doors for attackers.
A recently uncovered vulnerability in a widely used AI coding assistant shows just how far that risk can go.
Researchers found that GitHub Actions workflows powered by AI can be manipulated through simple text inputs, such as issue comments or pull request descriptions.
Since these inputs are read and acted on by an AI agent, a carefully crafted message can quietly redirect the agent to do things it was never supposed to do.
Microsoft Threat Intelligence identified the issue in Anthropic’s Claude Code GitHub Action, noting that the AI agent could be tricked into reading sensitive environment files inside the CI/CD runner. The finding was shared by Microsoft in a report shared with Cyber Security News (CSN).
At the heart of the problem is a gap in how the tool handles file access versus command execution. While the Bash tool ran inside a secure sandbox that stripped environment variables, the Read tool did not follow the same rules.
That inconsistency gave attackers a direct path to credentials that were never meant to leave the system. The consequences could be serious for any team relying on automated AI workflows in their development pipeline.
A leaked API key could let an attacker impersonate the workflow, consume resources, or gain deeper access into connected systems. The issue was responsibly disclosed to Anthropic, which released a fix in Claude Code version 2.1.128 on May 5, 2026.
Microsoft Warns Claude Code GitHub Action Could Leak
The vulnerability worked through what researchers call prompt injection. An attacker would place a hidden instruction inside a GitHub issue or pull request, written in a way that looks harmless to a human reviewer but is treated as a command by the AI model reading the raw text.
In tests conducted by Microsoft’s team, a malicious prompt instructed the agent to perform a “compliance review.” The phrasing was deliberate.
Attack flow (Source – Microsoft)
It avoided triggering Claude’s built-in safety filters, which block obvious requests to print API keys. By disguising the request and telling the model to trim the first seven characters of the result, the attacker bypassed both the AI’s refusal layer and GitHub’s Secret Scanner.
The Read tool, once manipulated, accessed /proc/self/environ directly inside the runner’s process memory. This returned the unscrubbed ANTHROPIC_API_KEY along with other credentials present in the environment.
From there, the attacker could reconstruct the full key and exfiltrate it through channels the workflow allowed, including web requests, issue comments, or action logs.
Microsoft noted the attack chain maps to several MITRE ATLAS techniques, including LLM Prompt Injection, AI Agent Tool Invocation, LLM Jailbreak, and AI Agent Tool Credential Harvesting. The full exploit required no special access, just the ability to open an issue or submit a pull request.
Hardening AI-Powered CI/CD Workflows
Microsoft’s team laid out practical steps for defenders. The most important principle they introduced is the “Agents Rule of Two.”
An AI workflow should never combine all three of the following at the same time: processing untrusted input, accessing sensitive secrets, and taking external actions or modifying state.
Teams should apply strict least-privilege controls to every token and API key wired into a workflow. Each key should be scoped to only what that specific workflow needs, and usage should be monitored at the provider level for unusual activity.
Alerts tied to new IP addresses or unexpected endpoint calls can give defenders early warning.
On the prompt level, Microsoft recommends hardening the system prompt so the agent clearly understands what counts as data versus what counts as an instruction.
A well-written system prompt should name the surfaces the agent reads, such as issue bodies or pull request diffs, and make clear that all of that content is untrusted.
Pinning the agent to a single, defined task reduces the chances it gets steered off course by a cleverly worded payload.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets appeared first on Cyber Security News.
