Critical Prompt Injection Vulnerability Affects AI Code Assistants via GitHub Comments
Key Takeaways A new class of prompt injection attacks, “Comment and Control,” weaponizes GitHub comments and pull requests to compromise AI code assistants. Three prominent AI...
Key Takeaways
- A new class of prompt injection attacks, “Comment and Control,” weaponizes GitHub comments and pull requests to compromise AI code assistants.
- Three prominent AI agents—Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent—were found vulnerable.
- These vulnerabilities allow attackers to exfiltrate sensitive credentials like API keys and access tokens from CI/CD environments.
- The attacks are proactive, leveraging GitHub Actions workflows to trigger AI agents without direct user interaction, and a critical fix is available for Claude.
A novel and critical vulnerability class, dubbed “Comment and Control,” has emerged, representing a significant advancement in prompt injection attacks. This technique exploits GitHub pull request titles, issue bodies, and comments to compromise AI coding agents, enabling the theft of API keys and access tokens directly from continuous integration/continuous deployment (CI/CD) environments. Researchers have thoroughly documented this new threat.
Table Of Content
The name “Comment and Control” is a deliberate reference to the “Command and Control” (C2) frameworks typically utilized in malware campaigns. Investigations confirmed that three widely adopted AI agents—Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent (SWE Agent)—are susceptible to these attacks.
According to researcher Aonan Guan, the entire attack sequence unfolds within the GitHub ecosystem. An attacker crafts a malicious pull request title or issue comment, which the AI agent then reads and processes as legitimate context. Subsequently, the agent executes instructions provided by the attacker, leading to the exfiltration of credentials. These credentials are then relayed back to the attacker via a pull request comment, issue comment, or git commit, eliminating the need for any external server interaction.

Unlike traditional indirect prompt injection, which requires a victim to explicitly instruct an AI to process a document, Comment and Control operates proactively. GitHub Actions workflows automatically trigger on pull_request, issues, and issue_comment events. This means an attacker can activate the AI agent by simply opening a pull request or filing an issue, requiring no further interaction from the victim.
Finding 1: Claude Code Security Review — PR Title to RCE
Anthropic’s Claude Code Security Review action was found to directly embed the pull request title into the agent’s prompt without any sanitization. Because the Claude CLI is invoked without restrictions such as --disallowed-tools or --allowed-tools, the subprocess inherits all environment variables, including ANTHROPIC_API_KEY and GITHUB_TOKEN.
An attacker can exploit this by opening a pull request with a malicious title designed to escape the prompt’s context. This allows them to instruct Claude to execute commands like whoami, ps auxeww, or env. The agent then returns a complete credential dump as a JSON “security finding,” which is posted directly to the pull request comments. Anthropic rated this vulnerability with a critical CVSS score of 9.4 (upgraded from 9.3). The flaw was reported via HackerOne (#3387969) and resulted in a $100 bounty award. More details can be found on the researcher’s blog.
Finding 2: Gemini CLI Action — Issue Comment to API Key Leak
Google’s Gemini CLI Action incorporates issue titles, bodies, and comments into the agent’s prompt context under an “Additional Content” section. Researchers discovered that by injecting a fabricated “Trusted Content Section” immediately following this, an attacker can bypass Gemini’s inherent safety instructions. This manipulation causes Gemini to publicly post the GEMINI_API_KEY as an issue comment, making it visible to anyone with access.
This vulnerability was reported to Google VRP (#1609699) by researcher Neil Fendley, in collaboration with Johns Hopkins University. The discovery earned a bounty of $1,337. Further technical specifics are available in the research report.
Finding 3: Copilot Agent — Three-Layer Defense Bypass
The vulnerability identified in GitHub Copilot Agent proved to be the most complex, involving the bypass of three runtime-level mitigations implemented by GitHub: environment variable filtering, secret scanning, and a network firewall. All three defenses were successfully circumvented:
- Env Filtering Bypass: The
UU()function, designed to filter sensitive variables, only applies to the child bash subprocess. By executingps auxewwfrom within this subprocess, attackers could read/proc/[pid]/environof the unfiltered parent Node.js process and MCP server, thereby recoveringGITHUB_TOKEN,GITHUB_COPILOT_API_TOKEN, and two other credentials. - Secret Scanning Bypass: GitHub’s scanner is configured to detect tokens with
ghs_/ghu_prefixes. Attackers bypassed this by Base64-encoding the output before committing it, effectively evading all pattern matching. - Firewall Bypass: The encoded credential file was exfiltrated using a standard
git pushto a pull request. This operation is whitelisted by the firewall, rendering the exfiltration indistinguishable from normal Copilot workflow activity.
Adding another layer of obfuscation, the attack payload was concealed within an HTML comment embedded in the issue body. This made it invisible in GitHub’s rendered Markdown view but fully parsable by the AI agent. A victim would only see an innocuous-looking request and unknowingly assign the issue to Copilot. This bug was reported via HackerOne (#3544297). Initially dismissed as a “known issue,” it was reopened after the researcher provided reverse-engineered source code proof from Copilot’s minified index.js. GitHub eventually awarded a $500 bounty. Additional details are available in the researcher’s findings.

| Component | Injection Surface | Exfiltration Channel | Credentials Leaked | Bounty |
|---|---|---|---|---|
| Claude Code | PR title | PR comment | ANTHROPIC_API_KEY, GITHUB_TOKEN |
$100 |
| Gemini CLI | Issue comments | Issue comment | GEMINI_API_KEY |
$1,337 |
| Copilot Agent | Issue body (HTML comment) | Git commit | GITHUB_TOKEN, COPILOT_API_TOKEN, +2 more |
$500 |
All three vulnerabilities stem from a fundamental architectural flaw: the uncontrolled flow of untrusted GitHub data into an AI agent that simultaneously possesses production secrets and unrestricted tool access within the same runtime environment.
As highlighted by the researchers, this marks the first publicly demonstrated cross-vendor instance of a single prompt injection pattern successfully compromising multiple major AI agents, including one that had three distinct runtime defenses in place. Security experts caution that this pattern is not limited to GitHub Actions. It extends to any AI agent that processes untrusted input while having access to tools and sensitive secrets, encompassing applications such as Slack bots, Jira agents, email agents, and various deployment automation pipelines.
What You Should Do
- Implement Tool Allowlisting: Always use an allowlist (e.g.,
--allowed-tools) to grant AI agents only the absolute minimum required capabilities. Blocklisting specific commands is insufficient, as attackers can easily find alternative methods for exfiltration. - Apply Least-Privilege Principles: Ensure that AI agents, especially those performing read-only tasks like issue triage, are not granted highly privileged credentials such as
GITHUB_TOKENwith write scope. - Mandate Human Approval Gates: Introduce mandatory human review and approval steps before AI agents can execute outbound actions or access sensitive credentials.
- Audit and Monitor AI Agent Integrations: Conduct regular security audits of all AI agent integrations within CI/CD pipelines and actively monitor Actions logs for any anomalous credential access patterns or suspicious activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.