Claude Code GitHub Action Vulnerability Exposed Repositories to Takeover Through a Single GitHub Issue

AI-Powered Development Tools Face New Security Challenges as Researchers Uncover Repository Hijacking Risk

The growing adoption of AI-powered coding assistants has introduced new security concerns for development teams. Researchers recently uncovered a critical flaw in Anthropic's Claude Code GitHub Action that could have allowed attackers to gain control of vulnerable public repositories using nothing more than a carefully crafted GitHub issue.

The vulnerability highlights a broader cybersecurity challenge facing organizations that integrate AI agents into development workflows. While these tools improve efficiency and automate routine tasks, they also create new attack surfaces that threat actors can exploit.

How the Vulnerability Worked

Claude Code GitHub Action enables developers to automate issue triage, review pull requests, apply labels, and execute workflow commands directly within GitHub repositories. To perform these tasks effectively, the action often operates with extensive permissions that include access to source code, workflow files, issues, discussions, and pull requests.

To prevent abuse, the workflow should only respond to trusted users with write access to a repository. However, researchers discovered a weakness in the validation mechanism.

The vulnerable workflow incorrectly trusted any account whose username ended with “[bot].” Developers assumed that GitHub bots represented legitimate applications installed by repository administrators. Unfortunately, attackers could create their own GitHub Apps, generate bot identities, and use them to interact with public repositories.

As a result, malicious users could bypass the intended trust controls and trigger Claude Code workflows with attacker-controlled content.

Prompt Injection Turned AI Into an Attack Vector

After bypassing the permission check, attackers could leverage indirect prompt injection techniques to manipulate the AI agent.

Prompt injection occurs when malicious instructions are hidden inside content that an AI model processes. Instead of following its intended task, the AI may execute instructions embedded within seemingly legitimate data.

Researchers demonstrated how a specially crafted GitHub issue could convince Claude to execute unauthorized actions. By disguising commands as troubleshooting instructions, the attacker persuaded the AI to access sensitive system information and expose environment variables.

These variables contained credentials used by GitHub Actions workflows, including information required to request OpenID Connect (OIDC) tokens. With access to these credentials, attackers could potentially obtain elevated repository permissions and perform unauthorized modifications.

Potential Supply Chain Impact

The most concerning aspect of the vulnerability involved the possibility of targeting Anthropic’s own Claude Code Action repository.

If attackers successfully compromised the repository responsible for distributing the GitHub Action, they could inject malicious code into the action itself. Because many organizations automatically pull updates from trusted repositories, a compromise could have cascaded across numerous downstream projects.

This type of attack resembles software supply chain incidents that have become increasingly common in recent years. Instead of targeting individual organizations, attackers focus on trusted development tools and dependencies to maximize impact.

Additional Security Weaknesses Identified

Researchers also discovered several configuration-related risks that could expose organizations to similar attacks.

Some example workflows allowed any user to trigger AI-powered automation regardless of repository permissions. In addition, workflow summaries sometimes exposed sensitive information through publicly visible logs.

Another attack scenario involved modifying existing GitHub issues after a trusted user triggered the workflow. If the AI processed the updated content before execution, malicious instructions could still reach the agent despite the original trigger coming from a legitimate source.

These findings demonstrate that AI workflow security depends not only on software design but also on secure implementation and configuration practices.

A Growing Pattern of AI Security Incidents

This discovery follows several recent incidents involving prompt injection attacks against AI-assisted development tools.

Earlier this year, attackers exploited a prompt injection vulnerability in an AI-powered issue triage workflow to obtain an npm publishing token. The stolen credential enabled unauthorized package publication, creating a supply chain risk for users of the affected software.

Security researchers have also documented automated attempts to identify and exploit misconfigured AI workflows across major open-source projects and enterprise environments.

Although not every attack succeeds, the trend demonstrates how threat actors increasingly view AI agents as valuable targets within software development pipelines.

Lessons for Security Teams

Organizations adopting AI coding assistants should recognize that these tools inherit the permissions and trust relationships granted to them.

When an AI agent can access source code, secrets, workflows, or deployment systems, attackers may attempt to manipulate the agent rather than directly compromise the infrastructure itself.

Security teams should therefore apply the principle of least privilege to AI-powered workflows, limit access to sensitive credentials, and carefully review how external input reaches automated systems.

Additionally, repositories that allow public interaction should treat all user-generated content as untrusted data. AI agents must never receive permissions that exceed what is necessary for their specific task.

What Organizations Should Do Now

Organizations using Claude Code GitHub Action should update to version 1.0.94 or later, which includes fixes and additional security hardening.

Security teams should also review workflow configurations, remove unnecessary permissions, restrict execution triggers, and avoid exposing sensitive secrets to AI-powered automation wherever possible.

As AI agents become a permanent part of modern software development, organizations must balance automation benefits with strong security controls. The latest findings serve as another reminder that prompt injection remains one of the most significant security challenges facing AI systems today.