PromptPwnd Prompt Injection Vulnerability in AI-Driven CI/CD Pipelines
Aikido Security researchers have identified a new vulnerability class, dubbed PromptPwnd, that affects automated CI/CD pipelines such as GitHub Actions and GitLab CI/CD when integrated with AI agents like Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference. The vulnerability arises from prompt injection attacks, where untrusted user input—such as bug report titles—can be embedded into AI prompts, causing the AI agent to execute privileged actions, leak secrets, or manipulate workflows. This attack chain has been confirmed as practical and reproducible, with at least five Fortune 500 companies exposed, including a notable case involving Google’s Gemini CLI repository, which was patched within four days of responsible disclosure.
Aikido Security has open-sourced Opengrep rules to help organizations detect this vulnerability in their codebases and recommends several mitigation steps: restricting the toolset available to AI agents, avoiding the injection of untrusted input into prompts, treating AI output as untrusted, and limiting the blast radius of leaked tokens. This is the first confirmed real-world demonstration that AI prompt injection can compromise CI/CD pipelines, highlighting the growing risks of integrating AI automation into software supply chains. The discovery follows recent attacks like Shai-Hulud 2.0, underscoring the urgent need for robust security controls in environments leveraging AI-driven automation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Google patches Gemini CLI headless RCE flaw in CI/CD environments
Google fixed a critical remote code execution risk in the @google/gemini-cli package and the google-github-actions/run-gemini-cli GitHub Action when used in headless CI/CD workflows. The patch changed headless mode so workspace folders are no longer trusted by default and addressed allowlisting enforcement issues in --yolo mode after reports from Elad Meged and Dan Lisichkin through Google's VRP.
Researchers unveil 'comment-and-control' attacks on GitHub AI agents
Researchers led by Aonan Guan of Johns Hopkins University demonstrated a prompt injection technique called 'comment-and-control' that hijacks AI agents integrated with GitHub Actions by embedding malicious instructions in pull request titles, issue bodies, comments, and hidden HTML. They showed the method could make Anthropic Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot Agent execute commands and leak secrets such as API keys and GitHub tokens from the Actions runner environment.
Aikido releases detection rules and scanner guidance for PromptPwnd
Aikido open-sourced detection content, including Opengrep rules and a code scanner, to help organizations identify vulnerable workflows. The company also recommended restricting AI agent permissions, sanitizing or excluding untrusted input from prompts, and treating AI output as untrusted.
Google patches Gemini CLI after Aikido disclosure
After Aikido privately reported the issue, Google fixed the PromptPwnd-related weakness in Gemini CLI within four days. Other affected AI coding and automation platforms were still described as exposed or under remediation.
Aikido demonstrates real-world PromptPwnd impact in high-profile repositories
Aikido confirmed practical exploitation scenarios for PromptPwnd, including a real-world demonstration involving Google's Gemini CLI repository, and said at least five Fortune 500 companies were affected or engaged in remediation. The research marked one of the first confirmed cases of AI prompt injection directly compromising CI/CD pipelines rather than remaining a theoretical risk.
Aikido discovers PromptPwnd in AI-enabled CI/CD workflows
Aikido Security identified a new prompt injection vulnerability class, dubbed PromptPwnd, affecting GitHub Actions and GitLab CI/CD workflows that embed untrusted user input into prompts for AI agents such as Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference. The flaw can let attackers manipulate agents into privileged actions, including secret leakage and unauthorized workflow or repository changes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks
cybersecuritynews.com
Open sourceClaude Code, Gemini CLI, and GitHub Copilot Vulnerable to Prompt Injection via GitHub Comments
cybersecuritynews.com
Open sourceAnthropic, Google, Microsoft paid AI bug bounties - quietly • The Register
go.theregister.com
Open sourceComment and Control: Prompt Injection to Credential Theft in Claude Code, Gemini CLI, and GitHub Copilot Agent | Aonan Guan
oddguan.com
Open sourcePromptPwnd Vulnerability Exposes AI driven build systems to Data Theft
hackread.com
Open sourceAI in CI/CD pipelines can be tricked into behaving badly
csoonline.com
Open sourceMore evidence your AI agents can be turned against you
cyberscoop.com
Open sourcePrompt Injection Inside GitHub Actions: The New Frontier of Supply Chain Attacks
aikido.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection and Trojanized PyPI Package Exposed Secrets in AI Coding Tools
Researchers from Johns Hopkins University showed that a **"comment-and-control"** prompt injection technique could hijack AI coding agents embedded in GitHub workflows, including Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent. By planting malicious instructions in untrusted GitHub content such as pull request titles, issue text, comments, and hidden HTML, the attackers made the agents follow attacker-controlled directions and exfiltrate secrets through workflow output or GitHub comments. The demonstrations reportedly exposed Anthropic and Gemini API keys, GitHub tokens, and other credentials available in GitHub Actions runners, and the affected vendors paid bug bounties and patched the issue without issuing CVEs or public advisories. Separate research also identified a trojanized PyPI package, **`hermes-px`**, marketed as a privacy-focused AI proxy but designed to steal user prompts and exfiltrate data, including an altered Claude Code system prompt. Together, the findings show that the most immediate risk around AI developer tooling is not only the model itself but the runtime and integration layer, where untrusted repository content, overprivileged CI/CD workflows, and malicious third-party packages can turn coding assistants into secret-leaking supply-chain footholds. Defenders were urged to minimize agent permissions, restrict secret exposure, rotate credentials, prefer short-lived OIDC tokens, and harden GitHub Actions configurations such as `pull_request_target` usage.
Jun 1, 2026
Prompt Injection Attacks and Security Challenges in AI Systems
Prompt injection has emerged as a critical security concern in the deployment of large language models (LLMs) and AI agents, with attackers exploiting the way these systems interpret and execute instructions. Security researchers have drawn parallels between prompt injection and earlier vulnerabilities like SQL injection, highlighting its potential to undermine the intended behavior of AI models. Prompt injection involves manipulating the input prompts to override or bypass the system-level instructions set by developers, leading to unauthorized actions or data leakage. The attack surface is broad, as LLMs are increasingly integrated into applications and workflows, making them attractive targets for adversaries. Multiple organizations, including OpenAI, Microsoft, and Anthropic, have initiated efforts to address prompt injection, but the problem remains unsolved due to the complexity and adaptability of AI models. Real-world demonstrations have shown that prompt injection can be used to break out of agentic applications, bypass browser security rules, and even persistently compromise AI systems through mechanisms like memory manipulation. Security conferences such as BlackHat USA 2024 have featured research on exploiting AI-powered tools like Microsoft 365 Copilot, where attackers can escalate privileges or exfiltrate data by crafting malicious prompts or leveraging markdown image vectors. Researchers have also identified that AI agents can be tricked into ignoring browser security policies, such as CORS, leading to potential cross-origin data leaks. Defensive measures, such as intentionally limiting AI capabilities or implementing stricter input filtering, have been adopted by some vendors, but these often come at the cost of reduced functionality. The security community is actively developing standards, such as the OWASP Agent Observability Standard, to improve monitoring and detection of prompt injection attempts. Despite these efforts, adversaries continue to find novel ways to exploit prompt injection, including dynamic manipulation of tool descriptions and bypassing image filtering mechanisms. The rapid evolution of AI technologies and the proliferation of agentic applications have made it challenging to keep pace with emerging threats. Security researchers emphasize the need for ongoing vigilance, robust testing, and collaboration across the industry to mitigate the risks associated with prompt injection. The use of AI in sensitive environments, such as enterprise productivity suites and web browsers, amplifies the potential impact of successful attacks. As AI adoption accelerates, organizations must prioritize understanding and defending against prompt injection to safeguard their systems and data. The ongoing research and public disclosures serve as a call to action for both developers and defenders to address this evolving threat landscape.
Mar 21, 2026
Indirect Prompt Injection and Data Exfiltration Risks in Enterprise AI Agents
Security researchers warned that **AI agents and retrieval-augmented generation (RAG) systems** can be turned into data-exfiltration channels when attackers poison inputs or embed malicious instructions in content the model is expected to process. One report described a **0-click indirect prompt injection** against *OpenClaw* agents in which hidden instructions cause the agent to generate an attacker-controlled URL containing sensitive data such as API keys or private conversations in query parameters; messaging platforms like *Telegram* or *Discord* can then automatically request that URL for link previews, silently delivering the data to the attacker. The same reporting noted concerns about insecure defaults that allow agents to browse, execute tasks, and access local files, expanding the blast radius of prompt-injection abuse. Related analysis highlighted that the same core weakness extends beyond standalone agents to **enterprise RAG deployments**, where the integrity of the knowledge base becomes part of the security boundary. If attackers can poison indexed documents in systems such as SharePoint or Confluence, they can manipulate retrieval results and influence model outputs, including security workflows and analyst guidance. Broader commentary on **agentic AI threat convergence** reinforced that prompt engineering is no longer just a productivity technique but an emerging exploit class, with adversaries using prompt injection and context manipulation against AI-enabled security operations. Together, the reporting shows that enterprise AI risk increasingly depends on controlling untrusted content, hardening agent permissions, and treating prompts, retrieved documents, and downstream integrations as attack surfaces.
May 7, 2026