Microsoft researchers uncovered a now-patched vulnerability in Anthropic's Claude Code GitHub Action that could have allowed attackers to steal credentials by injecting malicious instructions into GitHub issues, pull requests, or comments.
The flaw, disclosed through HackerOne and fixed in May with Claude Code version 2.1.128, exploited AI agents operating inside CI/CD pipelines where API keys and cloud credentials are commonly stored.
Microsoft demonstrated that attackers could bypass Claude's safety controls by hiding malicious payloads behind content hosted on controlled domains. The prompt injection tricked Claude into reading credentials, altering them to evade both Claude's safeguards and GitHub's secret-scanning tools.
Anthropic's Claude Code, a popular AI coding agent for developers, has been under scrutiny since March when Anthropic accidentally leaked over 500,000 lines of its source code online.
Microsoft urged development teams to treat untrusted inputs like GitHub issues as hostile by default, warning that "natural language is executable code."