Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/CyberSecurity News/Critical Prompt Injection Vulnerability Affects AI Code Assistants via GitHub Comments
CyberSecurity News

Critical Prompt Injection Vulnerability Affects AI Code Assistants via GitHub Comments

Key Takeaways A new class of prompt injection attacks, “Comment and Control,” weaponizes GitHub comments and pull requests to compromise AI code assistants. Three prominent AI...

Emy Elsamnoudy
Emy Elsamnoudy
April 21, 2026 5 Min Read
32 0

Key Takeaways

  • A new class of prompt injection attacks, “Comment and Control,” weaponizes GitHub comments and pull requests to compromise AI code assistants.
  • Three prominent AI agents—Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent—were found vulnerable.
  • These vulnerabilities allow attackers to exfiltrate sensitive credentials like API keys and access tokens from CI/CD environments.
  • The attacks are proactive, leveraging GitHub Actions workflows to trigger AI agents without direct user interaction, and a critical fix is available for Claude.

A novel and critical vulnerability class, dubbed “Comment and Control,” has emerged, representing a significant advancement in prompt injection attacks. This technique exploits GitHub pull request titles, issue bodies, and comments to compromise AI coding agents, enabling the theft of API keys and access tokens directly from continuous integration/continuous deployment (CI/CD) environments. Researchers have thoroughly documented this new threat.

Table Of Content

  • Key Takeaways
  • Finding 1: Claude Code Security Review — PR Title to RCE
  • Finding 2: Gemini CLI Action — Issue Comment to API Key Leak
  • Finding 3: Copilot Agent — Three-Layer Defense Bypass
  • What You Should Do

The name “Comment and Control” is a deliberate reference to the “Command and Control” (C2) frameworks typically utilized in malware campaigns. Investigations confirmed that three widely adopted AI agents—Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent (SWE Agent)—are susceptible to these attacks.

According to researcher Aonan Guan, the entire attack sequence unfolds within the GitHub ecosystem. An attacker crafts a malicious pull request title or issue comment, which the AI agent then reads and processes as legitimate context. Subsequently, the agent executes instructions provided by the attacker, leading to the exfiltration of credentials. These credentials are then relayed back to the attacker via a pull request comment, issue comment, or git commit, eliminating the need for any external server interaction.

Unlike traditional indirect prompt injection, which requires a victim to explicitly instruct an AI to process a document, Comment and Control operates proactively. GitHub Actions workflows automatically trigger on pull_request, issues, and issue_comment events. This means an attacker can activate the AI agent by simply opening a pull request or filing an issue, requiring no further interaction from the victim.

Finding 1: Claude Code Security Review — PR Title to RCE

Anthropic’s Claude Code Security Review action was found to directly embed the pull request title into the agent’s prompt without any sanitization. Because the Claude CLI is invoked without restrictions such as --disallowed-tools or --allowed-tools, the subprocess inherits all environment variables, including ANTHROPIC_API_KEY and GITHUB_TOKEN.

An attacker can exploit this by opening a pull request with a malicious title designed to escape the prompt’s context. This allows them to instruct Claude to execute commands like whoami, ps auxeww, or env. The agent then returns a complete credential dump as a JSON “security finding,” which is posted directly to the pull request comments. Anthropic rated this vulnerability with a critical CVSS score of 9.4 (upgraded from 9.3). The flaw was reported via HackerOne (#3387969) and resulted in a $100 bounty award. More details can be found on the researcher’s blog.

Finding 2: Gemini CLI Action — Issue Comment to API Key Leak

Google’s Gemini CLI Action incorporates issue titles, bodies, and comments into the agent’s prompt context under an “Additional Content” section. Researchers discovered that by injecting a fabricated “Trusted Content Section” immediately following this, an attacker can bypass Gemini’s inherent safety instructions. This manipulation causes Gemini to publicly post the GEMINI_API_KEY as an issue comment, making it visible to anyone with access.

This vulnerability was reported to Google VRP (#1609699) by researcher Neil Fendley, in collaboration with Johns Hopkins University. The discovery earned a bounty of $1,337. Further technical specifics are available in the research report.

Finding 3: Copilot Agent — Three-Layer Defense Bypass

The vulnerability identified in GitHub Copilot Agent proved to be the most complex, involving the bypass of three runtime-level mitigations implemented by GitHub: environment variable filtering, secret scanning, and a network firewall. All three defenses were successfully circumvented:

  • Env Filtering Bypass: The UU() function, designed to filter sensitive variables, only applies to the child bash subprocess. By executing ps auxeww from within this subprocess, attackers could read /proc/[pid]/environ of the unfiltered parent Node.js process and MCP server, thereby recovering GITHUB_TOKEN, GITHUB_COPILOT_API_TOKEN, and two other credentials.
  • Secret Scanning Bypass: GitHub’s scanner is configured to detect tokens with ghs_/ghu_ prefixes. Attackers bypassed this by Base64-encoding the output before committing it, effectively evading all pattern matching.
  • Firewall Bypass: The encoded credential file was exfiltrated using a standard git push to a pull request. This operation is whitelisted by the firewall, rendering the exfiltration indistinguishable from normal Copilot workflow activity.

Adding another layer of obfuscation, the attack payload was concealed within an HTML comment embedded in the issue body. This made it invisible in GitHub’s rendered Markdown view but fully parsable by the AI agent. A victim would only see an innocuous-looking request and unknowingly assign the issue to Copilot. This bug was reported via HackerOne (#3544297). Initially dismissed as a “known issue,” it was reopened after the researcher provided reverse-engineered source code proof from Copilot’s minified index.js. GitHub eventually awarded a $500 bounty. Additional details are available in the researcher’s findings.

Component Injection Surface Exfiltration Channel Credentials Leaked Bounty
Claude Code PR title PR comment ANTHROPIC_API_KEY, GITHUB_TOKEN $100
Gemini CLI Issue comments Issue comment GEMINI_API_KEY $1,337
Copilot Agent Issue body (HTML comment) Git commit GITHUB_TOKEN, COPILOT_API_TOKEN, +2 more $500

All three vulnerabilities stem from a fundamental architectural flaw: the uncontrolled flow of untrusted GitHub data into an AI agent that simultaneously possesses production secrets and unrestricted tool access within the same runtime environment.

As highlighted by the researchers, this marks the first publicly demonstrated cross-vendor instance of a single prompt injection pattern successfully compromising multiple major AI agents, including one that had three distinct runtime defenses in place. Security experts caution that this pattern is not limited to GitHub Actions. It extends to any AI agent that processes untrusted input while having access to tools and sensitive secrets, encompassing applications such as Slack bots, Jira agents, email agents, and various deployment automation pipelines.

What You Should Do

  • Implement Tool Allowlisting: Always use an allowlist (e.g., --allowed-tools) to grant AI agents only the absolute minimum required capabilities. Blocklisting specific commands is insufficient, as attackers can easily find alternative methods for exfiltration.
  • Apply Least-Privilege Principles: Ensure that AI agents, especially those performing read-only tasks like issue triage, are not granted highly privileged credentials such as GITHUB_TOKEN with write scope.
  • Mandate Human Approval Gates: Introduce mandatory human review and approval steps before AI agents can execute outbound actions or access sensitive credentials.
  • Audit and Monitor AI Agent Integrations: Conduct regular security audits of all AI agent integrations within CI/CD pipelines and actively monitor Actions logs for any anomalous credential access patterns or suspicious activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

SideWinder Hackers Target Government Webmail With Fake Chrome PDF and Zimbra Login Pages

Next Post

Malicious TikTok Downloaders Compromise 130K Users Via 12 Browser Extensions

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us