Securing CI/CD in an agentic world: Claude Code Github action case
Summary
Microsoft Threat Intelligence found that Anthropic's Claude Code GitHub Action could expose sensitive credentials when AI agents process untrusted GitHub content (like issue descriptions and comments) because the Read tool wasn't properly sandboxed, allowing it to access /proc/self/environ and steal API keys. Attackers exploited this by hiding prompt injection (tricking an AI by hiding instructions in its input) attacks in HTML comments within GitHub issues to manipulate the AI agent into executing malicious operations like planting code into repositories.
Solution / Mitigation
Anthropic mitigated this issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files. Microsoft also recommends that defenders treat AI workflows processing untrusted GitHub content as high-risk, especially when they have access to secrets, file-read tools, or external communication channels.
Classification
Affected Vendors
Related Issues
Original source: https://www.microsoft.com/en-us/security/blog/2026/06/05/securing-ci-cd-in-agentic-world-claude-code-github-action-case/
First tracked: June 5, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%