- Microsoft researchers discovered a Claude Code vulnerability where attack instructions in GitHub comments could manipulate the AI.
- The flaw could have exposed sensitive API keys and cloud credentials stored in software development pipelines.
- Anthropic patched the issue in May after Microsoft disclosed it, highlighting new risks from AI agents in CI/CD workflows.
- Prompt injection attacks represent a major emerging threat, where AI agents are tricked into following hidden, malicious commands.
Microsoft security researchers revealed in June 2025 that a now-patched vulnerability in Anthropic‘s Claude Code GitHub Action could have let attackers steal credentials by manipulating the AI agent with malicious instructions hidden in GitHub issues or pull requests. This incident underscores the novel security risks that AI coding assistants introduce into sensitive software development environments.
The researchers, who detailed their findings in a blog post, warned that CI/CD workflows often contain valuable secrets like API keys. They began their investigation after observing real-world prompt injection attempts in public repositories using various AI-assisted workflows.
Consequently, this type of attack exploits the fact that natural language instructions for AI can function as executable code. The team proved the flaw by creating a GitHub workflow where malicious prompts, hosted on a controlled domain, bypassed Claude’s safety mechanisms.
Specifically, the attack tricked the AI into reading and altering sensitive credentials to evade detection tools. Microsoft stated, “We obscured the shell payload behind a response from our controlled domain” to bypass the AI’s refusal safety features.
Anthropic resolved the security flaw on May 5 with an updated version of Claude Code. The patch followed responsible disclosure through HackerOne on April 29, after Microsoft demonstrated how a determined attacker could potentially exfiltrate production credentials.
Meanwhile, prompt injection has emerged as a critical threat for AI agents that process untrusted inputs. The report concluded that we are entering an era where a single crafted comment can compromise an entire system if trust boundaries are misunderstood.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
