Claude Code GitHub Action Flaw Allow Malicious Story to Hack Repositories
A security researcher has discovered a flaw in Anthropic’s Claude Code GitHub Action that allows an attacker to take control of vulnerable public repositories they use, nothing more than a single open GitHub issue. Because Anthropic’s own action repo used the same workflow, an active attack could have pushed malicious code to the action itself and to the downstream projects it pulled.
GMO Flatt Security’s RyotaK reported a major breach in Anthropic in January, and Anthropic corrected within four days, with continued intensity in the spring; fix in cloud-code-action v1.0.94. Anthropic rated the issue 7.8 under CVSS v4.0 and paid the bug bounty.
Claude Code GitHub Actions drop Claude into CI/CD pipelines to check for issues, hit labels, update pull requests, or run slash commands. By default, the workflow gets read and write access to the repo code, issues, pull requests, dialogs, and workflow files. Because those permissions are broad, the action must be to choose who can run it: users with write access only.
The trigger check had a hole. Move to any actor whose name ends with [bot]assuming that GitHub Apps are trusted objects installed by administrators. The problem is, anyone can register a GitHub App, upload it to their own repo, and use their token to open an issue or pull request from any public repository. The action detected the “bot” and allowed the attacker’s content to pass. Tag mode has an extra check to make sure the character is a real person; agent mode did not, leaving it open.
From there, the attacker relies on indirect rapid injection, a trick to plant instructions inside the content that the AI reads so that the model follows it instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then edited the information until Claude “recovered” by running the commands buried in it. The target is /proc/self/environ, a Linux file that holds process environment variables, including secrets. Claude Code blocks unread, but RyotaK bypasses the guard anyway and has Claude write the values back into the case, where the attacker can intercept them.
The real prize in those variables is the authentication pair that GitHub Actions uses to request an OIDC token, a signed token that proves “I am this workflow running in this repo.” Claude Code trades an Anthropic backend token for a Claude GitHub app install token with write access. Steal that information, replay the exchange, and seize write access to the target’s code, issues, and workflows. Target it in the cloud-code-action repo itself, and you may be poisoned by the action being pulled by downstream projects.
RyotaK also flagged a soft lane that bypassed the bot trick entirely. Anthropic’s own example workflow is posted by allowed_users_non_authors: “*”, which allows anyone to trigger it, for configuration that Anthropic documents already flag as malicious. Worse, Claude was posting job summaries to a publicly visible job summary panel, an already established method of extracting data. Many repos copied that example and inherited the hole.
There’s also a way for an attacker who can program problems but can’t trigger Claude himself: program a trusted user’s problem after he deletes the workflow, but before Claude reads it, and the payload mounts as a “trusted” entry.
What to do? Update to cloud-code-action v1.0.94 or later. Then check any workflow that allows users without write access, or bots, to trigger Claude: if it takes untrusted input, don’t feed it with any secret beyond the Anthropic API key and GITHUB_TOKEN, and remove tools and permissions that can be used for extraction.
None of this is imaginary. The same set-up, AI triager and wide permissions and quick injection, already caused a real supply chain hit:
- In February, a rapidly injected vulnerability thread against Cline’s claude-code-action triage workflow allowed attackers to steal the npm publish token and push an unauthorized cline@2.3.0. The hard version only included a different, non-brutal AI agent and was released about eight hours later, but the same thread could easily send real malware to everyone who reviewed it.
- The autonomous “HackerBot-Claw” bot then spent late February investigating the wrongness of GitHub Actions on Microsoft projects, Datadog, CNCF, and others, although it tried to inject a Claude-based reviewer with a poisoned fix file, which Claude caught and refused.
There is no public sign of this exact method, which poisons the Anthropic action, being used against a live target; RyotaK has only proven it in its testing areas, and is careful to separate that from the above exploited variants.
RyotaK says it has now reported about 50 different ways to bypass Code Claude’s permission system and execute commands, which are part of the rapid injection bugs in AI coding agents. Instant injection has not been solved, and an agent with real tools and real tokens can be pushed as much as their permissions allow.
