Security Researchers Hijack AI Agents in GitHub Actions via Prompt Injection, Steal API Keys Security researchers from Johns Hopkins University, led by Aonan Guan, successfully hijacked three major AI agents integrated with GitHub Actions Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and Microsoft’s GitHub Copilot using a novel prompt injection attack to steal API keys and access tokens. Despite receiving bug bounties from all three vendors, none issued public advisories or assigned CVEs, leaving users potentially exposed. ### The Attack: "Comment-and-Control" Prompt Injection The researchers exploited a flaw in how AI agents process GitHub data including pull request titles, issue bodies, and comments by injecting malicious instructions. Unlike traditional indirect prompt injection, which relies on a victim manually triggering the AI (e.g., "summarize this file"), this "comment-and-control" method is proactive: simply opening a PR or filing an issue can automatically execute the attack without user interaction. - Anthropic’s Claude: Guan demonstrated that a malicious PR title could force the agent to execute arbitrary commands (e.g., `whoami`) and leak credentials in its JSON response. After reporting the flaw in October, Anthropic updated its documentation to warn users but did not issue a public advisory. - Google’s Gemini: Researchers tricked the agent into exposing its API key by injecting a fake "trusted content section" in an issue comment. Google awarded a $1,337 bounty but did not disclose the vulnerability. - Microsoft’s GitHub Copilot: The most fortified target, Copilot includes runtime defenses (environment filtering, secret scanning, and a network firewall). Guan bypassed these by hiding malicious instructions in an HTML comment invisible to human reviewers but processed by the AI. Microsoft initially dismissed the report as a "known issue" before awarding a $500 bounty in March. ### Impact and Risks The attacks could compromise: - API keys (Anthropic, Gemini) - GitHub access tokens - Repository or organization secrets exposed in GitHub Actions environments Guan warned that the technique likely works on other AI agents integrated with GitHub, including Slack bots, Jira agents, and deployment automation tools. Despite fixes, users pinned to vulnerable versions may remain unaware of the risk. ### Vendor Responses - Anthropic: Updated documentation to warn against untrusted PRs and recommended requiring maintainer approval for external contributions. - Google & Microsoft: Acknowledged the flaws via bug bounties but did not issue public disclosures. - GitHub: Initially unable to reproduce the Copilot exploit but later confirmed it. The research underscores the need for least-privilege access controls in AI agents, treating them like "super-powered employees" with only the necessary permissions to perform their tasks.