Critical Flaw in Anthropic's Claude Code GitHub Action Enabled Repository Takeover via Single Malicious Issue

Anthropic's Claude Code GitHub Action contained a critical vulnerability that allowed attackers to compromise public repositories with nothing more than a single malicious GitHub issue. Discovered by RyotaK of GMO Flatt Security in January 2026, the flaw combined an authentication bypass with prompt injection to extract secrets and gain write access to target repositories. Most critically, the vulnerability affected Anthropic's own action repository, creating a supply chain attack vector that could have pushed malicious code to every downstream project using the action.

Anthropic patched the core bypass within four days of disclosure and continued hardening through spring 2026. The company rated the vulnerability 7.8 under CVSS v4.0 and paid a bug bounty. However, the attack chain has already been exploited in the wild against similar AI-powered GitHub workflows, including a February 2026 incident where attackers compromised the Cline project's npm publishing token and pushed an unauthorized package version to users.

How the Attack Works

Claude Code GitHub Actions integrates Anthropic's Claude AI into CI/CD pipelines to automatically triage issues, label content, review pull requests, and execute slash commands. By default, the workflow receives read and write access to repository code, issues, pull requests, discussions, and workflow files. Because these permissions are broad, the action was designed to restrict triggers to users with write access only.

The authentication check contained a fatal flaw: it automatically approved any actor whose username ended in [bot], assuming GitHub Apps were inherently trusted entities installed by administrators. In reality, anyone can register a GitHub App, install it on a repository they control, and use its authentication token to open issues or pull requests on any public repository. When the Claude Code action saw a bot actor, it bypassed permission checks and processed the content as trusted input. This vulnerability specifically affected agent mode; tag mode included an additional human verification check that prevented exploitation.

Prompt Injection Chains the Exploitation

After bypassing authentication, attackers exploited indirect prompt injection to manipulate Claude's behavior. This technique embeds malicious instructions within content that the AI model reads, causing it to follow attacker commands instead of its intended task. RyotaK crafted an issue body formatted to look like an error message, then iteratively refined the prompt until Claude would "recover" by executing embedded commands.

The primary target was /proc/self/environ, the Linux file containing a process's environment variables, including secrets. While Claude Code implements guards against naive file reads, RyotaK successfully bypassed these protections and coerced Claude into writing secret values back into the issue comments where attackers could retrieve them. The most valuable secrets were the credential pair GitHub Actions uses to request OIDC tokens—signed tokens proving "I'm this workflow running in this repo." Claude Code exchanges these tokens with Anthropic's backend for a Claude GitHub App installation token with write access.

Additional Attack Vectors

RyotaK identified multiple exploitation paths beyond the bot authentication bypass. Anthropic's example issue-triage workflow shipped with the configuration setting allowed_non_write_users: "*", which permits anyone to trigger the workflow. Anthropic's own documentation flags this setting as risky, yet many organizations copied the example configuration and inherited the vulnerability. Making matters worse, Claude posted task summaries to the workflow run's publicly visible summary panel, creating a ready-made exfiltration channel for stolen data.

A third attack path exploits a time-of-check-to-time-of-use race condition. An attacker with issue editing permissions but without trigger access can modify a trusted user's issue after it fires the workflow but before Claude reads it. The malicious payload then rides into the system as "trusted" input, bypassing permission checks entirely.

Real-World Exploitation Already Occurred

While RyotaK proved the Anthropic action vulnerability only in controlled test environments, the same attack pattern has already caused real supply chain compromises. In February 2026, attackers used prompt injection against the Cline project's claude-code-action triage workflow, stealing an npm publish token and pushing an unauthorized cline@2.3.0 package. The rogue version force-installed a separate, non-malicious AI agent before being removed approximately eight hours later. The same attack chain could easily have distributed actual malware to every user who updated the package.

Later in February 2026, an autonomous bot called "HackerBot-Claw" systematically probed GitHub Actions misconfigurations across major organizations including Microsoft, Datadog, and CNCF projects. When it attempted to exploit a Claude-based code reviewer through a poisoned configuration file, Claude successfully detected and refused the prompt injection attack. However, the widespread probing demonstrates active adversary interest in exploiting AI-powered CI/CD integrations.

A Second Front: Secret Exfiltration via the Read Tool

Follow-up analysis published by Microsoft's security team in June 2026 confirmed the same component carried a second, distinct weakness — and that the January fix was not the end of the story. Claude Code scrubs secrets from the environment of the subprocesses it spawns for shell commands (the CLAUDE_CODE_SUBPROCESS_ENV_SCRUB guard), but the agent's Read tool did not pass through that same isolation. An attacker who won the prompt-injection battle could simply instruct the agent to read /proc/self/environ directly, retrieving ANTHROPIC_API_KEY and any other secrets the runner held — in plaintext, bypassing the sandbox the Bash path relied on.

To slip the stolen key past GitHub's automated secret scanning (which flags the sk-ant- prefix), the payload instructed the model to drop the first seven characters before echoing the value — defeating both the model's refusal layer and the platform's pattern matching in a single move. Anthropic closed this path in version 2.1.128, which now unconditionally rejects reads of /proc/ files. The practical takeaway: “patched” means 2.1.128 or later, not merely the 1.0.94 release that fixed the original [bot] authentication bypass.

Are You Exposed? A 5-Minute Self-Check

Run these against any repository whose CI you control. If you don't use the Claude Code GitHub Action at all, you're not exposed to this specific chain — but the same pattern applies to any AI agent you let read untrusted issues or pull requests while it holds secrets.

1. Do you even run it? Search your workflows for the action. No hits = not exposed to this vector.
   grep -rEi "anthropics/claude-code-action|claude-code-action" .github/workflows/
2. Is it patched? Find the pinned version. Anything below v2.1.128 — or a floating @main/@beta/major tag like @v1 that can resolve to an old build — is at risk. You want @v2.1.128 or later, ideally pinned to a full commit SHA.
3. Can untrusted users trigger it? Look for allowed_non_write_users: "*" and triggers like issues, issue_comment, or pull_request_target with no write-access gate. A wildcard means anyone can fire the agent.
   grep -rEn 'allowed_non_write_users|pull_request_target|issue_comment' .github/workflows/
4. What secrets does the job see? List the secrets in scope for the agent step. If anything beyond ANTHROPIC_API_KEY + GITHUB_TOKEN is exposed — npm publish tokens, cloud keys, registry creds — a single injection can steal them. Scope each job to the minimum.
5. Can it change things or phone home? If the agent can write files, open PRs, run arbitrary bash, or make outbound network calls on an untrusted-triggered run, you have the full trifecta (untrusted input + secrets + state-change). Remove one leg.

A “yes” on any of 2–5 while you also answered “yes” to #1 means treat it as exposed and act on the steps below. The cheapest tell that a key has already walked: check your Anthropic/provider usage dashboard for calls from unfamiliar IPs or a sudden volume spike.

Immediate Remediation Steps

Organizations using Claude Code GitHub Actions must update to version 2.1.128 or later immediately. Version 1.0.94 fixed the original [bot] authentication bypass; 2.1.128 closes the separate Read-tool environment-variable exfiltration path. Earlier releases leave one of the two attack chains open. However, updating alone is insufficient—comprehensive security audits are required.

Audit every workflow configuration that allows users without write access or bot actors to trigger Claude. For any workflow processing untrusted input, limit exposed secrets to only the Anthropic API key and GITHUB_TOKEN. Remove additional credentials, especially those with external system access like npm publish tokens or cloud provider credentials. Strip tools and permissions that could enable data exfiltration, including file write capabilities to publicly accessible locations and external network access beyond essential API calls.

Review and remediate any workflow copied from Anthropic's example configurations, particularly those containing allowed_non_write_users: "*". Replace wildcards with explicit allowlists of trusted user accounts. Disable or restrict Claude's ability to post summaries to publicly visible workflow panels when processing potentially sensitive information.

Systemic Implications for AI Security

This vulnerability illustrates fundamental security challenges when integrating large language models into privileged automation systems. Prompt injection remains an unsolved problem in AI security. Unlike traditional code injection vulnerabilities that can be mitigated through input sanitization and parameterized queries, prompt injection exploits the core functionality of language models—processing natural language instructions embedded in content.

AI agents with real tools and real authentication tokens can be manipulated as far as their permissions extend. The combination of broad repository write access, secret exposure through environment variables, and an AI system susceptible to instruction manipulation creates a perfect storm for exploitation. Defense-in-depth becomes critical: limit permissions to minimum necessary scope, isolate credentials by function, implement human approval gates for sensitive operations, and assume prompt injection will succeed.

Microsoft frames the defensive principle as the Agents Rule of Two: an AI workflow should never simultaneously hold all three of — (a) the ability to process untrusted input, (b) access to sensitive systems or secrets, and (c) the ability to change state or communicate externally. Remove any one leg and the credential-theft chain breaks. A triage agent that reads untrusted issues should not also carry npm or cloud tokens and the power to open pull requests; that trifecta is exactly what this attack exploited.

The supply chain dimension amplifies risk exponentially. Compromising a widely-used GitHub Action doesn't just affect one organization—it cascades to every downstream consumer who trusts and automatically updates the action. As organizations rush to integrate AI capabilities into development workflows, security teams must recognize that these tools introduce new attack surfaces that traditional security controls weren't designed to address. The race to AI-augmented development cannot outpace the establishment of appropriate security guardrails.