Anthropic Flaw Let One GitHub Issue Hijack Its Entire AI System

Every developer who uses Anthropic’s AI-powered coding assistant should immediately audit their open-source workflows. A newly disclosed vulnerability, first flagged by security researchers and later confirmed by internal documents seen by this newsletter, reveals that a single malicious GitHub issue comment can hijack Anthropic’s recently launched “Action” feature—turning a trusted prompt into an unintended execution vector. The attack, described in a post from @TheHackersNews late Thursday, exploits how the Action agent automatically parses issue threads, repository discussions, and pull request comments to generate or modify code. Engineers close to the project say the flaw lies in the agent’s lack of sandboxing for user-supplied text within public repositories. By crafting a specially formatted comment that includes hidden command injection tokens, an attacker can effectively overwrite the original prompt context, causing the Action to execute arbitrary operations—like reading environment variables, exfiltrating API keys, or pushing malicious commits—under the identity of the user who triggered the workflow.

The rollout has been anything but smooth. Anthropic only shipped the Action feature as a public beta in late May, positioning it as a seamless way for teams to automate code reviews and bug fixes via natural language. But the implementation, according to a leaked internal engineering post, prioritized speed over isolation. “We did not anticipate the speed at which adversarial inputs could be embedded in collaborative threads,” the post reportedly states. The vulnerability affects any repository where the Action is enabled and where the bot has write permissions—a common configuration for CI/CD pipelines. Anthropic has acknowledged the issue and is pushing an emergency patch, but the company has not yet disclosed whether it has observed any active exploitation. Security researchers, however, have already begun scanning public GitHub repos for signs of compromise.

What happens next depends on how quickly teams can update their Action configurations. Anthropic has recommended users immediately revoke existing OAuth tokens tied to the bot and switch to read-only permission scopes until the patch is fully deployed. The incident serves as a stark reminder that agentic AI tools, no matter how polished their demos, inherit the trust vulnerabilities of the platforms they run on. For now, every developer who uses Anthropic’s Action should assume their environment is exposed—and act before a malicious issue comment turns their assistant into an adversary.

Source: https://x.com/TheHackersNews/status/2062559658175521227