Security researchers from Johns Hopkins University have uncovered a serious vulnerability in AI agents used within GitHub Actions. The flaw affects solutions from Anthropic, Google, and Microsoft, including tools like GitHub Copilot.
Led by Aonan Guan, the team demonstrated a novel attack method—injecting malicious instructions directly into pull request text and comments. AI agents automatically process this data as part of their tasks, potentially executing embedded commands and publishing results that could include confidential information.
Dubbed Comment and Control, the technique involves an attacker adding hidden or disguised commands to descriptions or comments. The agent then runs these in the GitHub environment, potentially leaking access tokens, API keys, and other sensitive data directly into public responses.
One of the first targets was Anthropic's security tool. Researchers found it treats pull request titles as trusted context, allowing commands like "whoami" to be executed and results posted as comments. After demonstrating more severe scenarios, including API key leaks, the company acknowledged the issue, rating its criticality at 9.4, and added a warning in its documentation.
A similar approach worked against Google's solution. By inserting a fake "trusted content" block into a comment, researchers bypassed built-in restrictions and forced the publication of a GEMINI_API_KEY variable. Google acknowledged the finding and paid a bounty.
GitHub Copilot from Microsoft proved the most resilient, but it too was circumvented. Attackers used hidden HTML comments, invisible to users but accessible to AI processing. Despite initial claims that the issue was already known, Microsoft also paid a bounty after the attack demonstration.
Notably, none of the companies disclosed vulnerability identifiers or published detailed user guidance. According to the researchers, this creates additional risk, as developers might continue using vulnerable tool versions without being aware of the threat.