Claude Code GitHub Action: CI/CD Secret Exposure Fix

Microsoft Threat Intelligence found that Anthropic’s Claude Code GitHub Action could expose CI/CD workflow secrets. This happens when AI agents process untrusted GitHub content, like issue bodies or pull request descriptions. What's interesting is that while other subprocesses had environment scrubbing, the Read tool did not. This allowed it to access sensitive files, potentially reading API keys and other credentials. Following responsible disclosure, Anthropic fixed this in Claude Code version 2.1.128 by blocking access to these sensitive files. This research began after observing prompt injection attempts in public repositories using AI-assisted GitHub workflows. For example, a prompt injection was hidden as an HTML comment, invisible to users but visible to the AI model. Another attack used an XSS injection via an issue triage workflow. Here, an AI bot was given powerful tools to resolve issues. An attacker provided the AI with a precise sequence of commands, instructing it to find a file, add malicious HTML, and then create a pull request. This could lead to a supply-chain compromise. The bottom line is that defenders should treat AI workflows processing untrusted GitHub content as high-risk, especially if they have access to secrets, file-read tools, or external communication.