Critical flaw in Anthropic's Claude Code let attackers hijack public repositories with a single issue

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days, with further hardening through the spring; the fixes are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty. The writeup doesn't cite a CVE. Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo's code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access. The trigger check had a hole. It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw "a bot" and let the attacker's content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn't, which left it open. From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then refined the prompt until Claude would "recover" by running the commands buried in it. The target is /proc/self/environ, the Linux file that holds a process's environment variables, secrets included. Claude Code blocks naive reads, but RyotaK bypasses the guard anyway and gets Claude to write the values back into the issue, where the attacker can grab them. The real prize in those variables is the credential pair GitHub Actions uses to request an OIDC token, a signed token that proves "I'm this workflow running in this repo." Claude Code trades that token with Anthropic's backend for a Claude GitHub App installation token with write access. Steal those credentials, replay the exchange, and you hold write access to the target's code, issues, and workflows. Aim it at the claude-code-action repo itself, and you could poison the action that downstream projects pull. RyotaK also flagged a softer route that skipped the bot trick entirely. Anthropic's own example issue-triage workflow shipped with allowed_non_write_users: "*", which lets anyone trigger it, a setting Anthropic's docs already flag as risky. Worse, Claude was posting task summaries to the workflow run's publicly visible summary panel, a ready-made way to leak data out. Plenty of repos copied that example and inherited the hole. There's also a path for an attacker who can edit issues but can't trigger Claude on their own: edit a trusted user's issue after it has fired the workflow, but before Claude reads it, and the payload rides in as "trusted" input. What to do? Update to claude-code-action v1.0.94 or later. Then audit any workflow that lets users without write access, or bots, trigger Claude: if it is taking untrusted input, don't feed it any secret beyond the Anthropic API key and GITHUB_TOKEN, and remove tools and permissions that can be used for exfiltration. None of this is theoretical. The same setup, an AI issue-triager plus broad permissions plus prompt injection, already caused a real supply-chain hit: * In February, a prompt-injected issue title against Cline's claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorized [email protected]. The rogue version only force-installed a separate, non-malicious AI agent and was pulled about eight hours later, but the same chain could just as easily have shipped real malware to everyone who updated. * The autonomous "HackerBot-Claw" bot then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others, though when it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. There's no public sign of this exact path, the one that poisons Anthropic's own action, was used against a live target; RyotaK proved it only in his own test repos, and he's careful to separate that from the variants above that did get exploited. RyotaK says he has now reported around 50 separate ways to bypass Claude Code's permission system and run commands, part of a steady run of prompt-injection flaws in AI coding agents. Prompt injection still isn't solved, and an agent with real tools and real tokens can be pushed as far as its permissions allow.

Claude Code GitHub Action flaw enabled repository hijacking

A flaw in Anthropic's Claude Code GitHub Action let attackers bypass permission checks via a fake bot account and use prompt injection to steal OIDC tokens, gaining write access to any vulnerable repository. Anthropic patched the vulnerability within four days of disclosure. The attack starts with a GitHub issue. Not a sophisticated one. Just an issue opened by a bot account with a carefully worded body that looks like an error message. When Claude Code's GitHub Action picks it up for triage, it follows the instructions hidden inside, reads the process's environment variables, and writes them back into the issue for the attacker to collect. Those variables contain the credentials needed to request an OIDC token, which can be exchanged for a Claude GitHub App installation token with full write access to the repository's code, issues, and workflows. Aim the attack at Anthropic's own claude-code-action repository, which ran the same vulnerable workflow, and you could poison the action that thousands of downstream projects pull. Security researcher RyotaK of GMO Flatt Security reported the vulnerability to Anthropic in January. The company fixed the core bypass within four days, with additional hardening through the spring. The patches are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bounty of $4,800. How the bypass worked Claude Code GitHub Actions gives Claude read and write access to a repository's code, issues, pull requests, discussions, and workflow files by default. To limit who can trigger those capabilities, the action checks whether the actor has write access to the repository. The check had a hole. It automatically trusted any actor whose name ended in , on the assumption that GitHub Apps are trusted tools installed by administrators. But anyone can register a GitHub App, install it on a repository they control, and use its token to open an issue on any public repository. The action saw a bot name and let the content through. Agent mode lacked the additional human-actor verification that tag mode performed, leaving it fully exposed. Once past the gate, the attacker uses indirect prompt injection, planting instructions inside content that Claude reads as data but executes as commands. RyotaK crafted an issue body disguised as an error recovery message. Claude "recovered" by running the commands buried inside, reading despite Claude Code's built-in guards against that exact operation, and posting the values to the issue. A second path, no bot required RyotaK also identified a softer route that bypassed the bot trick entirely. Anthropic's own example issue-triage workflow shipped with the setting , which permits anyone to trigger the action. Anthropic's documentation already flagged this as risky, but many repositories copied the example and inherited the configuration. Worse, Claude was posting task summaries to the workflow run's publicly visible summary panel, creating a ready-made exfiltration channel. A third variant targeted race conditions: edit a trusted user's issue after the workflow fires but before Claude reads it, and the malicious payload rides in as trusted input. Not theoretical The same pattern, an AI issue triager combined with broad permissions and prompt injection, has already caused real damage. In February, a prompt-injected issue title against Cline's claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorised [email protected]. The rogue version force-installed a separate AI agent called OpenClaw on roughly 4,000 developer systems during an eight-hour window before being pulled. An autonomous bot called HackerBot-Claw then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, and CNCF projects. When it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. That is both reassuring and concerning: the model's defences are inconsistent enough that the same class of attack sometimes succeeds and sometimes fails. Fifty bypasses and counting RyotaK says he has now reported approximately 50 separate ways to bypass Claude Code's permission system and execute commands. The finding is part of a broader wave of supply chain attacks targeting AI-powered developer tools, from the poisoned VS Code extension that breached GitHub's own repositories to malicious npm packages designed to harvest credentials from AI coding assistants. The remediation is straightforward: update to claude-code-action v1.0.94 or later, audit any workflow that allows non-write users or bots to trigger Claude, strip unnecessary secrets from the environment, and remove tools and permissions that could be used for exfiltration. The deeper problem is structural. Prompt injection remains unsolved. An AI agent with real tools and real tokens can be pushed as far as its permissions allow, and the permissions most organisations grant by default are far broader than the attack surface they are prepared to defend.