Microsoft Uncovers Critical Prompt Injection Vulnerability in Anthropic’s Claude Code Action
As artificial intelligence (AI) tools become integral to software development, a significant security vulnerability has been identified in Anthropic’s AI coding agent, Claude Code. Microsoft researchers revealed that this flaw could have enabled attackers to access sensitive developer credentials and access tokens. Although the vulnerability has been patched following responsible disclosure, cybersecurity experts warn that this incident underscores the escalating risks associated with autonomous AI agents functioning in high-privilege environments.
The discovery highlights an urgent need for engineering teams to reassess trust boundaries when deploying automation tools across public repositories.
The Vulnerability in the Automated CI/CD Toolchain
The vulnerability was found within the Claude Code GitHub Action, a widely used tool for automating software development, testing, and deployment processes. GitHub Actions often handle highly sensitive information, including API keys, cloud access credentials, database tokens, and production secrets essential for application operations.
Launched by Anthropic in October 2025, Claude Code is designed to assist developers in writing code, troubleshooting issues, reviewing changes, and expediting software development. The GitHub Action functions as an automated wrapper around the Claude Agent SDK, which retrieves issue context, pull request parameters, and repository diffs to facilitate automated code reviews and label triages.
Exploiting the Unsandboxed File Read Primitives
Researchers indicated that the attack exploited a technique known as prompt injection, which has emerged as a significant threat to AI agents. In such attacks, malicious actors embed concealed instructions within GitHub issues, pull requests, comments, or other content processed by an AI system. If the AI agent executes these hidden instructions, it may perform unintended actions.
Microsoft’s threat intelligence unit noted that while the Claude Code Action enforced strict environment scrubbing for subprocess execution paths like Bash, its internal “Read” tool lacked the same sandboxing protections. By embedding a malicious prompt within an issue body, an attacker could deceive the AI agent into reading highly restricted runner files, such as /proc/self/environ, which contains active credentials for obtaining cloud OpenID Connect (OIDC) tokens and workspace secrets.
Laundering Output to Evade Safety Filters
To illustrate the vulnerability, Microsoft researchers created a controlled GitHub workflow simulating an attacker’s behavior. They concealed malicious instructions behind content hosted on a domain they controlled. This approach allowed them to bypass certain safety mechanisms and influence the AI agent’s decision-making process.
To circumvent Claude’s safety and system-prompt refusal layers—designed to block the printing or exfiltration of sensitive API credentials—the injection framed the file retrieval as a routine compliance review. The instruction directed the model to modify text strings, such as truncating the first seven characters of an authentication key. This laundered output evaded internal filters, tricking the agent into posting exposed secrets into public workflow logs or repository comments.
Responsible Disclosure and Infrastructure Hardening
Microsoft disclosed the prompt-injection vulnerability to Anthropic through the HackerOne responsible disclosure program on April 29. Following a swift internal investigation, Anthropic released Claude Code Version 2.1.128 on May 5, addressing the flaw by ensuring that the Read tool would unconditionally reject and block access to sensitive procfs system files.
Security specialists at Algoritha Security emphasize that as AI development agents gain high-level capabilities to modify files and interact with third-party APIs via the Model Context Protocol (MCP), they function as active code-execution environments. Security architects are advocating for the implementation of the principle of least privilege across all CI/CD pipelines. This approach ensures that tokens associated with automated workflows have narrow scopes, preventing lateral repository takeovers even if an upstream agent suffers a prompt-injection compromise.
The implications of this vulnerability extend beyond the immediate technical fixes. It raises critical questions about the security architecture of AI tools integrated into software development workflows. As organizations increasingly rely on these technologies, the need for robust security measures becomes paramount.
For further details on the incident and its implications, refer to the original reporting source: the420.in.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
