Prompt Injection and Trojanized PyPI Package Exposed Secrets in AI Coding Tools
Researchers from Johns Hopkins University showed that a "comment-and-control" prompt injection technique could hijack AI coding agents embedded in GitHub workflows, including Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent. By planting malicious instructions in untrusted GitHub content such as pull request titles, issue text, comments, and hidden HTML, the attackers made the agents follow attacker-controlled directions and exfiltrate secrets through workflow output or GitHub comments. The demonstrations reportedly exposed Anthropic and Gemini API keys, GitHub tokens, and other credentials available in GitHub Actions runners, and the affected vendors paid bug bounties and patched the issue without issuing CVEs or public advisories.
Separate research also identified a trojanized PyPI package, hermes-px, marketed as a privacy-focused AI proxy but designed to steal user prompts and exfiltrate data, including an altered Claude Code system prompt. Together, the findings show that the most immediate risk around AI developer tooling is not only the model itself but the runtime and integration layer, where untrusted repository content, overprivileged CI/CD workflows, and malicious third-party packages can turn coding assistants into secret-leaking supply-chain footholds. Defenders were urged to minimize agent permissions, restrict secret exposure, rotate credentials, prefer short-lived OIDC tokens, and harden GitHub Actions configurations such as pull_request_target usage.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Further analysis frames AI agent runtime as a CI/CD supply-chain risk
Subsequent reporting emphasized that the core weakness exposed by Comment and Control was in AI agent runtime and CI/CD integrations, especially workflows using pull_request_target, exposed runner secrets, and overly broad permissions. The analysis recommended reducing agent privileges, rotating credentials, using short-lived OIDC tokens, and hardening GitHub Actions settings.
Anthropic, Google, and GitHub quietly patch agent secret-leak issue
After responsible disclosure of the Comment and Control attack, Anthropic, Google, and GitHub remediated the issue and paid bug bounties. According to the reporting, the vendors did not publish CVEs or formal public advisories about the fixes.
Johns Hopkins researchers demonstrate 'Comment and Control' against GitHub AI agents
Researchers led by Aonan Guan showed that malicious instructions embedded in GitHub pull request titles, issue bodies, comments, and hidden HTML comments could hijack AI agents in GitHub workflows. The attack caused Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent to follow attacker-controlled instructions and leak secrets from the GitHub Actions environment.
Media report amplifies hermes-px prompt-stealing PyPI package findings
A follow-up security news report highlighted the trojanized PyPI AI proxy campaign, describing how the package stole Claude prompts and exfiltrated data. This reflected broader public reporting of the malicious package after the initial research disclosure.
JFrog discloses trojanized PyPI package hermes-px targeting Claude users
JFrog Security Research reported that the PyPI package hermes-px, presented as a privacy-focused AI proxy, was malicious and stole user prompts while containing an altered Claude Code system prompt. The disclosure identified the package as a supply-chain threat affecting AI tooling users who installed it from PyPI.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it | VentureBeat
venturebeat.com
Open sourceAnthropic, Google, Microsoft paid AI bug bounties - quietly
theregister.com
Open sourceTrojanized PyPI AI Proxy Steals Claude Prompt, Exfiltrates Data
gbhackers.com
Open sourcehermes-px: The 'Privacy' AI Proxy That Steals Your Prompts, Containing Altered Claude Code System Prompt - JFrog Security Research
research.jfrog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious PyPI Package `hermes-px` Stole AI Prompts and Exposed User Data
Researchers at JFrog uncovered a malicious PyPI package, `hermes-px`, that posed as a privacy-focused, OpenAI-compatible AI inference proxy while covertly stealing prompts, responses, and users’ real IP addresses. The package impersonated a legitimate SDK from a fictitious company, included polished documentation and RAG examples, and secretly routed conversations to an attacker-controlled Supabase instance. Analysis showed it also decrypted and abused a private AI endpoint at **Universite Centrale in Tunisia**, protected by Azure WAF, while presenting itself as a secure proxy for AI access. The package contained a heavily obfuscated payload, a compressed file holding what researchers described as a near-complete copy of Anthropic Claude Code’s proprietary system prompt rebranded in part as **AXIOM-1**, and a secondary execution path through README instructions that told users to fetch and run a remote Python script from GitHub. JFrog urged affected users to uninstall `hermes-px`, treat all prompts and conversations sent through it as compromised, rotate credentials and other secrets, and block the identified Supabase exfiltration endpoint; one report also advised removing Tor from impacted environments.
Apr 7, 2026
RoguePilot Prompt-Injection Flaw in GitHub Codespaces Allowed Copilot to Leak `GITHUB_TOKEN`
Microsoft patched an AI-mediated vulnerability in **GitHub Codespaces** dubbed **RoguePilot** (reported by Orca Security) that could let an attacker seize control of repositories by embedding hidden instructions in a GitHub issue. When a developer launched a Codespace from a malicious issue, the issue text could be automatically ingested by the built-in **GitHub Copilot** agent, enabling *passive/indirect prompt injection* that coerced the agent into executing attacker-directed actions and leaking sensitive credentials—most notably a privileged `GITHUB_TOKEN`—potentially enabling repository takeover and downstream supply-chain impact. The disclosure reinforces a broader risk pattern where **developer tools and AI agents** become high-trust entry points for supply-chain compromise, as highlighted by commentary describing how dev-platform footholds can cascade into cloud and SaaS environments via token theft and trusted integrations. Separate reporting also notes increasing attacker speed and AI-enabled tradecraft, but those items are not specific to RoguePilot; the core actionable takeaway is that AI agents embedded in developer workflows can be manipulated through untrusted content (e.g., issues/PRs) unless strong isolation, least-privilege token scoping, and explicit user confirmation/guardrails prevent autonomous execution and secret exfiltration.
Mar 21, 2026
PromptPwnd Prompt Injection Vulnerability in AI-Driven CI/CD Pipelines
Aikido Security researchers have identified a new vulnerability class, dubbed **PromptPwnd**, that affects automated CI/CD pipelines such as GitHub Actions and GitLab CI/CD when integrated with AI agents like Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference. The vulnerability arises from prompt injection attacks, where untrusted user input—such as bug report titles—can be embedded into AI prompts, causing the AI agent to execute privileged actions, leak secrets, or manipulate workflows. This attack chain has been confirmed as practical and reproducible, with at least five Fortune 500 companies exposed, including a notable case involving Google’s Gemini CLI repository, which was patched within four days of responsible disclosure. Aikido Security has open-sourced Opengrep rules to help organizations detect this vulnerability in their codebases and recommends several mitigation steps: restricting the toolset available to AI agents, avoiding the injection of untrusted input into prompts, treating AI output as untrusted, and limiting the blast radius of leaked tokens. This is the first confirmed real-world demonstration that AI prompt injection can compromise CI/CD pipelines, highlighting the growing risks of integrating AI automation into software supply chains. The discovery follows recent attacks like Shai-Hulud 2.0, underscoring the urgent need for robust security controls in environments leveraging AI-driven automation.
Apr 27, 2026