Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html
Publish Date: 2026-06-04 11:15:00
Source Domain: thehackernews.com
Summary:
A serious vulnerability was discovered in Anthropic’s “Claude Code” GitHub Actions by security researcher RyotaK of GMO Flatt Security. This flaw allowed attackers to exploit the workflow through a seemingly benign GitHub issue, thus gaining full control over public repositories using it, including the ability to push malicious code into downstream projects. Initially, the bypass worked by identifying any actor with a “[bot]” suffix on their name, assuming they were trusted GitHub Apps, although this defense was easily circumvented. The attacker then used indirect prompt injection techniques to execute arbitrary commands within the system, such as accessing environment variables and exploiting them to obtain critical GitHub Actions credentials. Anthropic patched this critical vulnerability in January and subsequent remediation led to version claude-code-action v1.0.94; however, the incident underscores the risks of AI agents embedded in CI/CD pipelines with broad access. The findings demonstrate the ongoing challenges posed by prompt injection attacks against AI-powered software, even with stringent permission controls.
Key Points:
- An authenticated vulnerability in Anthropic’s “Claude Code” GitHub Actions allowed attackers to hijack repositories through manipulated GitHub issues.
- The vulnerability was patched by Anthropic, but it highlighted severe security risks linked to prompt injection and the broad permissions assigned to the workflow.
- Real-world examples show attackers exploiting such flaws to steal tokens and deliver unauthorized software updates.
- Ongoing prompt injection attacks represent a significant threat that highlights the need for continuous monitoring and improved security practices.
