Claude Code GitHub Action Flaw Enabled Repo Hijacking via Issues

A vulnerability in Anthropic's Claude Code GitHub Action allowed attackers to hijack public repositories by planting prompt injection instructions in GitHub issues, according to research from GMO Flatt Security.

The flaw, rated CVSS 7.8, stemmed from a permission check that trusted any actor whose name ended in "[bot]"—assuming GitHub Apps were inherently safe. Attackers could exploit this by registering custom GitHub Apps, then using them to open malicious issues on target repositories.

How the Attack Worked

Security researcher RyotaK discovered that the Claude Code Action's trust model had a critical gap. The attack chain required only four steps:

1. Register a custom GitHub App and install it on any repository you control
2. Use the app's token to open issues on target public repositories
3. Plant indirect prompt injection instructions in the issue body
4. Wait for Claude to process the issue and execute the injected commands

Once Claude processed a malicious issue, attackers could trick the AI into reading environment variables containing secrets, stealing OIDC credentials to obtain write access tokens, and potentially poisoning the Claude Code Action itself for downstream projects.

The vulnerability is particularly concerning given the growing adoption of AI-powered development tools. Similar prompt injection techniques have affected other AI assistants, but the repository write access makes this exploitation especially dangerous.

Additional Attack Vectors

RyotaK identified several compounding issues beyond the core vulnerability:

Overly permissive defaults: Example workflows shipped with allowed_non_write_users: "*", granting broad access that most repositories don't need.

Data leakage via summaries: Workflow summaries were publicly visible, potentially exposing sensitive information Claude processed during execution.

Edit-based exploitation: Even issues from trusted users could be weaponized if an attacker edited the issue content before Claude processed it.

Anthropic's Response

Anthropic patched the core vulnerability within four days of RyotaK's January report, releasing the fix in claude-code-action v1.0.94. The company applied additional hardening throughout the spring to address the secondary issues.

Organizations using Claude Code in their CI/CD pipelines should immediately verify they're running v1.0.94 or later. The VS Code GitHub token theft vulnerability we covered last week shows how development tool vulnerabilities can cascade into broader supply chain compromises.

Mitigation Recommendations

Beyond updating to the patched version, security teams should:

1. Audit existing workflows for overly permissive settings
2. Restrict secret access to only essential credentials
3. Remove exfiltration-capable tools from Claude's available toolset where possible
4. Review workflow runs for any suspicious activity during the vulnerable period

Why This Matters

The Claude Code vulnerability highlights a fundamental tension in AI-assisted development: the same capabilities that make these tools useful also create novel attack surfaces. An AI that can read environment variables and execute commands is doing exactly what developers need—but those capabilities become dangerous when the AI's instructions can be manipulated.

The "[bot]" suffix trust assumption reflects a broader pattern where security shortcuts made sense in a pre-AI context but break down when AI agents enter the picture. GitHub Apps ending in "[bot]" were traditionally automated tools with limited, predictable behavior. AI agents don't fit that model.

As AI coding assistants become standard in development workflows, expect more vulnerabilities in this category. The attack surface isn't just the AI model itself—it's the entire integration layer between AI capabilities and existing infrastructure. Security teams should treat AI tool integrations with the same scrutiny they'd apply to any third-party code execution in their CI/CD pipeline.

For organizations evaluating AI development tools, this incident underscores the importance of understanding how these tools authenticate, what permissions they require, and how they handle potentially malicious input. The convenience of AI assistance comes with real security implications that require ongoing attention.