Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO

The article describes a critical vulnerability in Anthropic's Claude Code GitHub Action where a single malicious GitHub issue, PR, or comment—especially from a GitHub App—could bypass permission checks and, via indirect prompt injection, exfiltrate tokens and gain write access to any vulnerable repository using the action, including Anthropic's own action repo.[1][2][3][4] This created a classic AI supply chain risk: a successful exploit against the action's repository could poison the action itself and silently propagate malicious code to downstream projects that consume it.[1][2][3][4] CyberSE.AI analysis: This incident demonstrates that AI-powered CI/CD and coding agents are part of the software supply chain and must be threat-modeled like any other third-party build dependency, with strict control over which workflows process untrusted input, what secrets and tokens they can access, and how AI tools are allowed to execute commands. Organizations should integrate AI-focused SBOM and supply chain reviews, pin and monitor AI action versions, and continuously test for prompt-injection-driven exfiltration paths in automated agent workflows.