Microsoft Warns: Claude GitHub Action Leaks Code Could

AI-powered coding tools have profoundly reshaped software development processes. However, their increasing adoption within continuous integration and continuous delivery (CI/CD) pipelines concurrently introduces new attack surfaces for adversaries.

A recently uncovered vulnerability in a widely used AI coding assistant shows just how far that risk can go.

Researchers found that GitHub Actions workflows powered by AI can be manipulated through simple text inputs, such as issue comments or pull request descriptions.

Since these inputs are read and acted on by an AI agent, a carefully crafted message can quietly redirect the agent to do things it was never supposed to do.

Microsoft Threat Intelligence identified the issue in Anthropic’s Claude Code GitHub Action, noting that the AI agent could be tricked into reading sensitive environment files inside the CI/CD runner. The finding was shared by Microsoft in a report shared with Cyber Security News (CSN).

At the heart of the problem is a gap in how the tool handles file access versus command execution. While the Bash tool ran inside a secure sandbox that stripped environment variables, the Read tool did not follow the same rules.

That inconsistency gave attackers a direct path to credentials that were never meant to leave the system. The consequences could be serious for any team relying on automated AI workflows in their development pipeline.

A leaked API key could let an attacker impersonate the workflow, consume resources, or gain deeper access into connected systems. The issue was responsibly disclosed to Anthropic, which released a fix in Claude Code version 2.1.128 on May 5, 2026.

Microsoft Warns Claude Code GitHub Action Could Leak

The vulnerability worked through what researchers call prompt injection. An attacker would place a hidden instruction inside a GitHub issue or pull request, written in a way that looks harmless to a human reviewer but is treated as a command by the AI model reading the raw text.

In tests conducted by Microsoft’s team, a malicious prompt instructed the agent to perform a “compliance review.” The phrasing was deliberate.

It avoided triggering Claude’s built-in safety filters, which block obvious requests to print API keys. By disguising the request and telling the model to trim the first seven characters of the result, the attacker bypassed both the AI’s refusal layer and GitHub’s Secret Scanner.

The Read tool, once manipulated, accessed /proc/self/environ directly inside the runner’s process memory. This returned the unscrubbed ANTHROPIC_API_KEY along with other credentials present in the environment.

From there, the attacker could reconstruct the full key and exfiltrate it through channels the workflow allowed, including web requests, issue comments, or action logs.

Microsoft noted the attack chain maps to several MITRE ATLAS techniques, including LLM Prompt Injection, AI Agent Tool Invocation, LLM Jailbreak, and AI Agent Tool Credential Harvesting. The full exploit required no special access, just the ability to open an issue or submit a pull request.

Hardening AI-Powered CI/CD Workflows

Microsoft’s team laid out practical steps for defenders. The most important principle they introduced is the “Agents Rule of Two.”

An AI workflow should never combine all three of the following at the same time: processing untrusted input, accessing sensitive secrets, and taking external actions or modifying state.

Teams should apply strict least-privilege controls to every token and API key wired into a workflow. Each key should be scoped to only what that specific workflow needs, and usage should be monitored at the provider level for unusual activity.

Alerts tied to new IP addresses or unexpected endpoint calls can give defenders early warning.

On the prompt level, Microsoft recommends hardening the system prompt so the agent clearly understands what counts as data versus what counts as an instruction.

A well-written system prompt should name the surfaces the agent reads, such as issue bodies or pull request diffs, and make clear that all of that content is untrusted.

Pinning the agent to a single, defined task reduces the chances it gets steered off course by a cleverly worded payload.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.