AI GitHub Actions Secret Exposure in Claude Code

Introduction

AI-powered GitHub Actions can speed up issue triage, pull request reviews, and repository automation. But Microsoft’s latest research shows that when these workflows process untrusted content and also have access to secrets or powerful tools, they can become a new attack path inside CI/CD pipelines.

What Microsoft found

Microsoft Threat Intelligence discovered a flaw in Anthropic’s Claude Code GitHub Action that could allow secrets in the runner environment to be exposed.

Key findings include:

• Untrusted GitHub content can influence the AI agent: issue bodies, PR descriptions, and comments may contain prompt injection payloads.
• Sandboxing was inconsistent: Bash subprocesses used environment scrubbing protections, but the Read tool did not follow the same isolation model.
• Sensitive files could be accessed: the agent could read /proc/self/environ, exposing values such as ANTHROPIC_API_KEY and potentially other credentials available to the workflow runner.
• The issue is fixed: Anthropic mitigated the vulnerability in Claude Code version 2.1.128 by blocking access to sensitive /proc files.

Why this matters for defenders

This research is bigger than a single product bug. Microsoft also observed prompt injection attempts in public repositories using AI-assisted GitHub workflows from multiple vendors.

The core risk is the same across many implementations:

• User-controlled GitHub content is embedded into an LLM prompt.
• The model output is treated as actionable.
• The agent runs in CI/CD with access to repository data, tokens, API keys, or file-read capabilities.

In one example, Microsoft described how an attacker could hide instructions in issue content to steer an AI bot into modifying documentation and creating a pull request containing malicious HTML. That creates potential for supply-chain compromise, XSS, or secret access depending on tool permissions.

Impact on IT and security teams

For administrators and security teams, this means AI-enabled workflow automation should be treated as a high-risk integration when it combines:

• Untrusted external input
• Secret access
• File read/write tools
• GitHub API permissions
• External network communication

Traditional CI/CD workflows were designed for deterministic tasks. AI agents introduce a decision-making layer that expands the attack surface and shifts prompt construction, tool access, and runtime isolation into the security boundary.

Recommended next steps

• Update Claude Code to version 2.1.128 or later.
• Review GitHub Actions that process issues, PRs, or comments with AI agents.
• Limit secret exposure in workflows triggered by untrusted users.
• Restrict tool permissions for AI actions, especially file-read, write, shell, and PR creation capabilities.
• Separate trust boundaries so public-facing automation does not share runners or credentials with sensitive deployment workflows.

Organizations adopting agentic DevOps workflows should assume prompt injection is a realistic threat and design controls accordingly.