agents

YOUR GITHUB SECRETS ARE EXPOSED: How AI Agents from Anthropic, Google & Microsoft Were Hijacked to Steal Credentials

8 min read

It took one pull request title. That's all.

Security researcher Aonan Guan submitted a pull request with a specially crafted title containing hidden instructions. The AI agent reviewing the code—Anthropic's Claude Code Security Review—read those instructions and executed them without question. Within seconds, it exposed sensitive credentials in a comment on the pull request.

Then Guan did it again to Google's Gemini CLI Action. And again to Microsoft's GitHub Copilot Agent. Three of the biggest tech companies on Earth. Three AI agents designed to help developers. All three compromised by a single, terrifying attack technique.

The companies paid bug bounties. Anthropic: $100. Google: $1,337. Microsoft: $500. Then they did something almost unbelievable: They never published public advisories. They never assigned CVEs. They never warned the millions of developers using these tools that they were vulnerable.

> "I know for sure that some of the users are pinned to a vulnerable version. If they don't publish an advisory, those users may never know they are vulnerable—or under attack."

>

> — Aonan Guan, Johns Hopkins University Security Researcher

The "Comment and Control" Attack: How It Works

Guan calls this technique "comment and control"—a play on "command and control" infrastructure used by sophisticated hackers. But this attack requires no external servers, no malware deployment, no complex infrastructure. It all happens inside GitHub.

Here's the terrifying simplicity of it:

The attack is so elegant it barely seems real. But Guan proved it works. He demonstrated credential theft against all three major AI agents. And he published the proof-of-concept to warn the world.

The Three Victims: Anthropic, Google, Microsoft

Anthropic's Claude Code Security Review

What it does: Uses Claude to analyze code changes and pull requests for vulnerabilities

The vulnerability: Reads pull request titles without sanitization, executes arbitrary bash commands when prompted

Proof of concept: Guan submitted a PR titled with instructions to execute "whoami" command. Claude executed it and posted the results as a "security finding."

Bounty paid: $100 (upgraded from low to critical severity, 9.3 → 9.4 CVSS score)

Current status: Documentation quietly updated to warn that the action "is not hardened against prompt injection attacks and should only be used to review trusted PRs"

Google's Gemini CLI Action

What it does: Integrates Google's Gemini AI into GitHub issue workflows

The vulnerability: Similar prompt injection through issue comments and titles, with additional ability to override safety instructions using fake "trusted content sections"

Proof of concept: Researchers injected malicious comments that convinced Gemini to publish its own API key as an issue comment

Bounty paid: $1,337 (credited to full research team)

Current status: Fix deployed, but no public advisory issued

Microsoft's GitHub Copilot Agent

What it does: Autonomous software engineering agent that works on assigned GitHub issues and creates pull requests

The vulnerability: Despite THREE security layers (environment filtering, secret scanning, network firewall), researchers bypassed all of them using HTML comments invisible to human reviewers

Proof of concept: Hidden payload in Markdown HTML comments triggered when a victim assigned an issue to Copilot Agent

Bounty paid: $500 (initially dismissed as "known issue" they "were unable to reproduce")

Current status: No CVE assigned, no public disclosure

What Credentials Are at Risk?

According to Guan's research, the attacks can exfiltrate:

Think about what that means. Your production deployment keys. Your cloud provider credentials. Your database passwords. All potentially accessible to an attacker who knows how to craft a malicious pull request title.

The attack surface is massive: This isn't just about the three agents tested. Guan believes this vulnerability exists across the ecosystem of AI agents integrated with GitHub Actions: Slack bots, Jira agents, email agents, deployment automation agents, and more. "Microsoft, Google, and Anthropic are the top three. We may find this vulnerability in other vendors as well."

The Cover-Up: Why Vendors Stayed Silent

Here's where this story becomes truly disturbing. All three companies acknowledged the vulnerability. All three paid bug bounties. None of them issued public security advisories. None assigned CVE identifiers. Millions of developers continued using vulnerable configurations, completely unaware of the risk.

Why would companies pay for vulnerability research, then hide the results?

The uncomfortable truth: Admitting their AI agents are vulnerable to prompt injection attacks undermines the core value proposition of AI-powered development tools. These companies are betting billions that AI agents can safely integrate into developer workflows. Publicly admitting that a simple pull request title can hijack them and steal secrets? That's not exactly great marketing.

> "The title is the payload, the bot's review comment is one place where the credentials show up. Attacker writes the title, reads the comment."

>

> — Aonan Guan

Are YOU Vulnerable? The DevOps Checklist

If your development workflow uses AI agents integrated with GitHub, you need to check these configurations RIGHT NOW:

Immediate Actions (Do Today)

GitHub Repository Settings Path:

Settings → Actions → General → "Fork pull request workflows from outside collaborators"

→ Select: "Require approval for all outside collaborators"

Defense in Depth

The Bigger Picture: Prompt Injection Is Everywhere

This vulnerability isn't unique to GitHub Actions. Prompt injection—the art of hijacking AI systems through carefully crafted inputs—is becoming the defining security challenge of the AI era.

We've seen prompt injection attacks against:

Every time an AI system reads external data—emails, documents, web pages, pull requests, issue comments—there's potential for prompt injection. And every time an AI has access to tools—bash execution, API calls, file system operations—that injection becomes dangerous.

The AI agents hit in this research had access to some of the most sensitive capabilities possible: execution environments containing production secrets.

Why This Matters: The Supply Chain Implications

This isn't just about your code. It's about the entire software supply chain.

Modern development relies on thousands of dependencies, most maintained by open-source contributors. Those contributors submit pull requests. Those PRs get reviewed—sometimes by AI agents. If an attacker can compromise an AI agent reviewing a popular open-source library, they could inject malicious code that propagates to thousands of downstream projects.

Picture this scenario:

This is the software supply chain apocalypse scenario that security researchers have warned about for years—now made possible by AI agents that can be hijacked with a pull request title.

What Should Happen Now

The responsible disclosure process broke down here. Bug bounties were paid, but users weren't protected. Here's what needs to happen:

For Vendors:

For GitHub:

For Developers:

The Bottom Line: Trust No Bot

We've entered an era where AI agents are deeply integrated into our development workflows, with access to our most sensitive credentials and the power to modify our codebases. And we've just learned that these agents can be hijacked by anyone who knows how to craft a malicious pull request title.

The companies building these tools paid bug bounties and hoped the problem would go away. It won't. Prompt injection is a fundamental challenge in AI systems that process untrusted input. There are mitigations, but no complete solutions.

If you're using AI agents in your CI/CD pipeline, you need to act now. Review your configurations. Rotate your credentials. Enable approval requirements. Monitor your logs.

Because somewhere out there, an attacker is already testing their first payload.