Claude Code GitHub Action Flaws Exposed CI/CD Secrets and Enabled Repo Takeover
Researchers disclosed multiple security flaws in Anthropic’s Claude Code GitHub Action that could let attackers compromise public repositories and expose CI/CD secrets through a single malicious GitHub issue or other untrusted content. One issue, reported by RyotaK of GMO Flatt Security, stemmed from an authorization bypass that trusted any GitHub actor whose name ended in [bot], allowing attacker-controlled GitHub Apps to trigger workflows and inject malicious prompts. Anthropic said the bug could lead to disclosure of environment secrets, including credentials used to obtain OIDC tokens and Claude GitHub App installation tokens with write access, creating a path to repository takeover and broader supply-chain compromise.
Microsoft Threat Intelligence separately showed that Claude Code’s Read tool was not sandboxed like its Bash tool, enabling access to sensitive runner data such as /proc/self/environ and leakage of secrets including ANTHROPIC_API_KEY. In lab testing, Microsoft demonstrated prompt-injection attacks that bypassed model safeguards and GitHub secret scanning to exfiltrate credentials through logs, comments, or external channels. Anthropic fixed the authorization issue within days of disclosure and later added hardening in claude-code-action v1.0.94, while the /proc exposure was mitigated in Claude Code v2.1.128 by blocking access to sensitive procfs files; defenders were urged to treat AI-enabled CI/CD workflows processing untrusted issues, pull requests, and comments as high risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes lab findings on Claude Code CI/CD secret exposure
Microsoft Threat Intelligence published research showing in lab conditions that prompt injection against Claude Code workflows could bypass model safeguards and GitHub secret scanning to leak CI/CD credentials. The company warned that AI workflows handling untrusted GitHub content and secrets should be treated as high risk.
Researcher publicly discloses single-issue repository hijack vulnerability
A public disclosure described how one malicious GitHub issue could hijack vulnerable public repositories using Anthropic's Claude Code GitHub Action. The write-up said Anthropic assigned the flaw a CVSS v4.0 score of 7.8 and paid a bug bounty.
Anthropic fixes reported GitHub Action flaw within four days
After receiving the January report, Anthropic fixed the authorization-bypass issue within four days and later added further hardening in claude-code-action v1.0.94. The bug could have enabled repository compromise and exposure of CI/CD secrets from a single malicious GitHub issue.
Researcher reports Claude Code GitHub Action auth bypass to Anthropic
RyotaK of GMO Flatt Security reported a vulnerability in Anthropic's Claude Code GitHub Action in January. The flaw trusted any GitHub actor whose name ended in "[bot]," allowing attacker-controlled GitHub Apps to trigger the action with malicious issue content.
Anthropic mitigates Claude Code Read-tool secret exposure in v2.1.128
On 2026-05-05, Anthropic mitigated a separate Claude Code issue by blocking access to sensitive /proc files in version 2.1.128. Microsoft said the unsandboxed Read tool could expose runner secrets such as ANTHROPIC_API_KEY when AI agents processed untrusted GitHub content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anthropic Claude outage disrupted users as GitHub Actions flaw exposed repository risk
Anthropic’s **Claude** platform suffered a widespread service disruption that affected users globally across the web app, mobile clients, and **Claude Code**, with reports of elevated errors, long response delays, hung sessions, and failed requests involving models such as `Opus 4.6` and `Sonnet 4.6`. User complaints rose sharply after the incident began around 0600 UTC, and Anthropic’s status page moved from reporting a partial outage to saying a fix had been implemented before later marking systems operational, though some customers continued to report intermittent problems after remediation. Separately, a security researcher disclosed a **critical supply-chain vulnerability** in Anthropic’s official **Claude Code GitHub Actions** workflow that could have allowed an unauthenticated attacker to compromise repositories using it, including Anthropic’s own. The flaw stemmed from write-permission checks that trusted any GitHub actor whose name ended with `[bot]`, enabling a malicious GitHub App bot to bypass restrictions and, when chained with prompt injection, potentially exfiltrate secrets, steal GitHub Actions `OIDC` credentials, obtain a privileged Claude GitHub App token, and push malicious code downstream; Anthropic said it patched the issues in `v1.0.94` with stronger actor validation and additional workflow hardening.
Jun 6, 2026
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
May 7, 2026
Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
**Check Point Research** disclosed multiple critical vulnerabilities in Anthropic’s *Claude Code* AI coding assistant that could allow **remote code execution** and **credential theft** when a developer clones and opens an **untrusted repository**. The reported attack path abuses repository-controlled configuration and automation features (including **Hooks**, **MCP servers**, and **environment variables**) to trigger hidden shell command execution and to exfiltrate **Anthropic API credentials**, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible. The issues include consent-bypass and command-execution weaknesses tracked under **CVE-2025-59536** (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as **CVE-2026-21852**, which affected *Claude Code* versions prior to **2.0.65** and enabled API key theft via malicious project configurations. Anthropic has **patched** the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
Apr 6, 2026