Microsoft security researchers revealed that Claude Code running inside GitHub Actions can be manipulated through prompt injection to expose sensitive credentials. Attackers need only a malicious comment in a pull request to trigger the exploit. A parallel SEO poisoning campaign distributes trojanized Claude Code installers to unsuspecting developers.
TL;DR: Microsoft discovered that Claude Code in GitHub Actions is vulnerable to prompt injection attacks that can leak secrets like API keys and tokens. Researchers say prompt injection attacks could manipulate AI coding agents to access sensitive credentials stored in software development pipelines. Separately, EclecticIQ researchers uncovered an SEO poisoning campaign distributing malicious Claude Code and Gemini CLI installers targeting developers.
What Did Microsoft Discover About Claude Code in GitHub Actions?
Microsoft security researchers found that Claude Code, when integrated into GitHub Actions workflows, can be manipulated through prompt injection to expose sensitive credentials stored in CI/CD pipelines. The vulnerability stems from how the AI agent processes untrusted input from pull requests and issue comments. When Claude Code encounters a carefully crafted instruction embedded in a PR description or comment, it can be tricked into executing commands that read and exfiltrate secrets. This is a real threat. The researchers demonstrated that an attacker does not need direct access to the repository. A simple fork with a malicious pull request is enough to trigger the credential leak, provided the GitHub Actions workflow is configured to run Claude Code on external contributions.
The core issue lies in the trust boundary between the AI agent and its environment. Claude Code operates with the same permissions as the GitHub Actions runner, meaning it has access to environment variables, secrets, and workspace files. Microsoft’s findings highlight a fundamental tension in AI-assisted development: the tools designed to accelerate coding also expand the attack surface in ways traditional security models did not anticipate. Organizations using Claude Code in automated pipelines must reassess how they handle untrusted input and whether secrets are truly isolated from AI agent processes.
How Can Prompt Injection Steal Credentials From CI/CD Pipelines?
Prompt injection attacks against CI/CD pipelines work by embedding malicious instructions within data that an AI coding agent processes as part of its normal workflow. In the Claude Code GitHub Actions scenario, an attacker creates a pull request containing a hidden prompt in the PR description, commit message, or code comments. When the GitHub Actions workflow triggers and Claude Code begins analyzing the changes, it interprets the injected prompt as a legitimate instruction. The agent then executes commands it was never intended to run. This could include reading environment variables containing API keys, printing GitHub tokens to build logs, or even pushing modified code back to the repository.
The attack exploits a fundamental limitation of large language models: they cannot reliably distinguish between instructions from authorized users and instructions hidden in data. Traditional input validation focuses on SQL injection or XSS, but prompt injection operates at the semantic level, targeting how the model interprets text. In a CI/CD context, the consequences are amplified because the agent runs with elevated privileges and has direct access to deployment credentials. A successful prompt injection attack can compromise not just one repository but potentially the entire deployment chain connected to those stolen secrets.
Mitigating this requires a multi-layered approach. Secrets should never be exposed as environment variables accessible to AI agents without explicit scoping. GitHub Actions workflows should treat AI agent input processing with the same caution as eval() on user-supplied strings. Organizations should also consider running AI coding agents in isolated environments with minimal permissions, logging all agent actions for audit purposes, and implementing approval gates before any agent-initiated changes are merged into protected branches.
Why Are AI Coding Agents a New Attack Surface for Developers?
AI coding agents like Claude Code represent a new category of attack surface because they combine two traditionally separate concerns: code execution and natural language interpretation. Unlike conventional CI/CD tools that follow deterministic scripts, AI agents make decisions based on probabilistic interpretation of text. This creates an entirely new class of vulnerabilities. EclecticIQ researchers have documented how attackers are actively exploiting the growing popularity of AI coding tools. The attack surface extends beyond prompt injection in CI/CD pipelines to include supply chain attacks through trojanized installers, social engineering through fake documentation, and exploitation of agent plugins or extensions.
What makes AI coding agents particularly risky is their privileged position within the development workflow. They often have read and write access to source code, can execute shell commands, interact with package managers, and communicate with external APIs. An attacker who compromises an AI agent effectively gains a foothold with the developer’s own permissions. The agent becomes a proxy for malicious activity, operating under the implicit trust that organizations place in their development tools. Security teams must now account for the possibility that their AI assistants can be turned against them through carefully crafted text inputs.
The rapid adoption of AI coding tools has outpaced the development of security best practices for these systems. Many organizations have integrated Claude Code, GitHub Copilot, and similar tools into their workflows without fully understanding the security implications. The traditional model of securing CI/CD pipelines focused on protecting secrets, validating code, and controlling access. AI agents introduce an additional dimension: securing the interpretation layer that sits between human instructions and machine execution. This requires new security frameworks, updated threat models, and developer training that addresses the unique risks of AI-assisted development.
What Is the SEO Poisoning Campaign Targeting Claude Code Users?
Security researchers from EclecticIQ have identified an active SEO poisoning campaign that distributes malicious installers for both Claude Code and Gemini CLI through manipulated search engine results. The attackers create fraudulent websites that closely mimic official documentation pages, then use black-hat SEO techniques to rank these pages prominently in search results for queries related to Claude Code and Gemini CLI installation. Developers searching for how to install these tools encounter the malicious pages first. The fake installers contain information-stealing malware designed to harvest credentials, browser cookies, cryptocurrency wallets, and other sensitive data from compromised developer machines.
The campaign specifically targets developers, a high-value demographic for cybercriminals because developers typically have access to source code repositories, deployment infrastructure, and production environments. A single compromised developer machine can provide attackers with credentials to an entire organization’s codebase and deployment pipeline. EclecticIQ researchers report that the malicious installers are sophisticated, often using legitimate-looking installer frameworks and digital signatures to avoid detection. The malware operates silently, exfiltrating data to command-and-control servers before the developer realizes anything is wrong.
This SEO poisoning campaign illustrates how attackers adapt to technology trends. As AI coding tools gain popularity, they become attractive targets for social engineering. Developers eager to try new tools may lower their guard when downloading installers, especially if the search results appear legitimate. The combination of SEO poisoning with AI tool distribution is particularly effective because developers often seek out installation instructions through search engines rather than navigating directly to official sources. Organizations should ensure their developers know the official download locations for AI coding tools and implement endpoint protection that can detect information-stealing malware on developer workstations.
How Do Attackers Exploit the Trust Relationship Between Agents and Repos?
Attackers exploit the implicit trust that CI/CD pipelines grant to automated processes by injecting malicious instructions into data the AI agent reads, turning the agent into an unwitting insider threat. Microsoft researchers demonstrated that Claude Code, when running as a GitHub Action, processes untrusted inputs — such as issue comments, pull request descriptions, and repository files — with the same access privileges as legitimate workflow commands. This creates a direct path from external text to internal credentials.
The trust relationship works on multiple levels simultaneously. GitHub Actions automatically provides secrets like GITHUB_TOKEN, cloud provider keys, and npm publishing tokens to the workflow environment. When an AI agent operates within that environment, it inherits full access to those secrets by design. The agent cannot distinguish between a legitimate developer instruction and a crafted prompt injection hidden in a dependency’s README file.
Security researchers from Microsoft’s Threat Intelligence Center reported that an attacker could craft a pull request containing obfuscated prompt instructions invisible to casual code review. Once Claude Code processes the PR, the injected command directs the agent to read environment variables containing credentials and exfiltrate them through commit messages, API calls, or newly created files. The entire process requires no direct network access from the attacker — the agent does the heavy lifting.
This model breaks the traditional security boundary. Firewalls and network segmentation become irrelevant when the trusted agent itself becomes the attack vector.
What Are the Specific Vulnerability Vectors in Agentic CI/CD?
The agentic CI/CD attack surface includes at least eight distinct vulnerability vectors that security teams must evaluate before deploying any AI coding agent in automated workflows. Microsoft’s analysis identified prompt injection as the primary vector, but the full risk landscape extends far beyond a single attack pattern. Each vector represents a different entry point an adversary can use to manipulate agent behavior.
The documented and theoretical vectors include:
- Direct prompt injection via PR comments: Malicious instructions embedded in pull request bodies that the agent processes as commands
- Indirect injection through repository files: Crafted content in README files, documentation, or test fixtures that override system prompts
- Compromised dependencies: Malicious npm or pip packages containing instructions in their source code that the agent reads during analysis
- Tool output poisoning: Manipulated API responses or build logs that contain hidden directives the agent interprets as actions
- Environment variable harvesting: Agent commands that dump
GITHUB_TOKEN, AWS keys, or other CI secrets into accessible outputs - Exfiltration via git operations: Pushing credentials to forks, embedding secrets in commit messages, or creating issues with stolen data
- Workflow file modification: Agents with write access modifying
.github/workflows/YAML files to persist malicious actions across runs - Supply chain lateral movement: Using stolen credentials from one repository to compromise dependent projects or organizational packages
| Vector | Entry Point | Potential Impact | Detection Difficulty |
|---|---|---|---|
| Direct prompt injection | PR comments, issues | Credential theft | Moderate |
| Indirect injection | README, docs, fixtures | Arbitrary command execution | High |
| Compromised dependencies | package.json, requirements.txt | Supply chain compromise | Very high |
| Tool output poisoning | Build logs, API responses | Agent manipulation | High |
| Environment harvesting | CI runtime variables | Mass secret exfiltration | Moderate |
| Git exfiltration | Commits, pushes, issues | Data leakage | Low |
| Workflow modification | YAML files | Persistent backdoor | Moderate |
| Lateral movement | Org credentials | Multi-repo compromise | Very high |
Understanding these vectors is the first step toward building effective guardrails. Each one requires a specific mitigation strategy rather than a single blanket fix.
How Should Teams Secure GitHub Actions When Using AI Agents?
Securing GitHub Actions with AI agents requires applying the principle of least privilege combined with strict input sanitization, output filtering, and isolated execution environments. Teams should never grant an AI coding agent the same permissions a human developer receives. The agent operates on untrusted input by definition, and its permission model must reflect that reality.
The following security measures should be implemented as a baseline before any AI agent runs in CI/CD:
- Restrict
GITHUB_TOKENpermissions: Setpermissions: {}in workflow files and explicitly grant only the minimum scopes needed, such ascontents: readinstead ofcontents: write - Use separate secrets for agent operations: Create dedicated, scoped tokens for AI agent tasks rather than reusing deployment or publishing credentials — Sanitize all untrusted inputs: Strip or escape markdown, code blocks, and natural language instructions from PR descriptions before passing them to the agent
- Implement output filtering: Scan agent-generated commits, comments, and files for secret patterns using tools like
gitleaksortrufflehogbefore publishing - Run agents in isolated runners: Use self-hosted runners in ephemeral containers or GitHub-hosted runners with minimal network egress rules
- Enable audit logging: Record every command the agent executes, every file it reads, and every network request it makes for post-incident analysis
- Enforce mandatory code review: Require human approval for all changes an AI agent proposes, with specific attention to workflow file modifications and dependency updates
- Rotate credentials frequently: Use short-lived tokens via OIDC federation instead of long-lived secrets stored in GitHub’s secret manager
No single measure eliminates all risk. Defense in depth — layering these controls — provides the best protection against both known and emerging attack patterns.
What Did Anthropic and Microsoft Recommend After the Disclosure?
Following Microsoft’s report on the Claude Code GitHub Action vulnerability, Anthropic and Microsoft issued coordinated recommendations emphasizing reduced default permissions, improved input handling, and heightened awareness of prompt injection risks in CI/CD environments. The disclosure process followed responsible vulnerability reporting practices, with Microsoft privately notifying Anthropic before public publication.
Anthropic’s guidance focused on three areas: updating the Claude Code GitHub Action to use minimal default permissions, recommending that users explicitly scope their GITHUB_TOKEN and secrets, and documenting the risks of processing untrusted repository content in agentic workflows. The company emphasized that Claude Code was designed for interactive developer use cases and that automated CI/CD deployment requires additional safeguards.
Microsoft’s recommendations extended beyond Claude Code specifically. The Microsoft Security Response Center and Threat Intelligence teams advised organizations to treat AI coding agents as untrusted components within their build pipelines. This means applying the same security controls to agents that teams already apply to third-party dependencies and external contributors. Microsoft also recommended continuous monitoring of agent activity and periodic review of permissions granted to automated tools.
The coordinated disclosure highlighted a broader industry challenge. AI agent security standards for CI/CD remain immature, and organizations must take responsibility for their own risk assessment.
Are Other AI Coding Tools Like Gemini CLI Also Affected?
Yes, other AI coding tools face similar risks — EclecticIQ researchers documented an active SEO poisoning campaign targeting developers searching for Gemini CLI and Claude Code installers, distributing malware that steals credentials and session cookies. The campaign demonstrates that attackers view all AI coding tools as high-value targets, regardless of vendor.
The SEO poisoning technique works by creating fraudulent websites that rank highly in Google search results for queries like “Gemini CLI install” or “Claude Code download.” These sites distribute trojanized installers that appear legitimate but contain infostealer malware such as Lumma Stealer. Once executed, the malware extracts SSH keys, API tokens, browser session cookies, and credential files stored on the developer’s machine.
The underlying architectural risk is not unique to any single tool. Any AI agent that reads untrusted content and executes commands with elevated privileges faces the same prompt injection and credential exposure vectors. Gemini CLI, GitHub Copilot, Cursor, and similar tools all process natural language instructions from sources that may contain adversarial content. The specific implementation details differ, but the attack surface is fundamentally similar across the ecosystem.
Security firm EclecticIQ reported that the campaign primarily targeted developers in the United States and Europe. The malicious domains closely mimicked legitimate URLs, making visual detection difficult even for experienced engineers.
Frequently Asked Questions
Can Claude Code actually leak GitHub credentials without user interaction?
Yes. Microsoft researchers demonstrated that when Claude Code runs as a GitHub Action with default permissions, a crafted prompt injection in a pull request or repository file can direct the agent to read environment variables containing credentials and exfiltrate them — all without any human review step if the workflow is configured for autonomous operation. The GITHUB_TOKEN and any configured secrets are accessible to the agent by default.
How does SEO poisoning work in the context of AI coding tools?
EclecticIQ documented a campaign where attackers created fraudulent websites mimicking official Gemini CLI and Claude Code download pages, then manipulated search rankings to place them above legitimate results. Developers who downloaded and ran the trojanized installers had their SSH keys, API tokens, and browser session cookies stolen by infostealer malware embedded in the packages.
What is prompt injection in the context of CI/CD pipelines?
Prompt injection occurs when an attacker embeds malicious natural language instructions inside data that an AI agent processes — such as a pull request description, README file, or dependency source code — causing the agent to execute unauthorized commands. In CI/CD environments, this can result in the agent reading secrets from environment variables, modifying workflow files, or exfiltrating credentials through git operations, as Microsoft’s analysis of Claude Code confirmed.
Should teams stop using AI agents in GitHub Actions entirely?
Not necessarily, but teams must restructure how agents are deployed. Microsoft and Anthropic both recommend applying least-privilege principles, restricting token scopes, sanitizing untrusted inputs, and requiring human review for agent-generated changes. Organizations should assess their specific risk tolerance and ensure that the productivity gains from AI agents justify the additional attack surface introduced into their build pipelines.
Summary
The intersection of AI coding agents and CI/CD pipelines creates a fundamentally new attack surface that traditional security models do not address. The key takeaways from Microsoft’s Claude Code disclosure and the EclecticIQ SEO poisoning campaign include:
- AI agents process untrusted input with trusted credentials, meaning any external content — PRs, issues, dependency files — can become an attack vector through prompt injection
- Default GitHub Actions permissions are too broad for AI agents; teams must explicitly scope
GITHUB_TOKENand secrets to the minimum required for each task - SEO poisoning campaigns are actively targeting AI tool users, with EclecticIQ documenting fraudulent Gemini CLI and Claude Code installer sites distributing infostealer malware
- No AI coding tool is immune — the architectural risk of agents reading untrusted content and executing commands affects Claude Code, Gemini CLI, GitHub Copilot, and the broader ecosystem
- Defense in depth remains essential: combine input sanitization, output filtering, isolated runners, credential rotation, and mandatory human review to mitigate the expanded attack surface
Review your GitHub Actions workflows today. Check what permissions your AI agents actually have versus what they actually need. The gap between those two answers is your exposure.