Microsoft has disclosed a vulnerability in Anthropic's Claude Code GitHub automation that could lead to secrets leaking from CI/CD processes. Researchers at Microsoft Threat Intelligence found that an attacker could use prompt injection to trick the assistant into reading sensitive system files containing API keys and other credentials.
The investigation was prompted by attack attempts on public repositories where AI is used to process GitHub issues and automate workflows. Prompt injection is especially dangerous in such scenarios: an attacker does not need permission to modify the project code. Simply leaving a GitHub issue or other text prompt that the bot reads can be enough.
Microsoft provides an example with instructions hidden inside HTML comments. In the normal GitHub interface, those fragments are invisible to users, but the AI model, which reads the raw Markdown, recognizes them. As a result, a malicious command can look like a harmless feature request to humans while appearing as an instruction for the AI to perform an action in the repository or automation environment.
Researchers confirmed that such an approach worked against the Claude Code GitHub workflow. Although Anthropic had already sandboxed some tools, including the Bash tool for executing commands, Microsoft discovered that the file-reading tool did not have the same restrictions. This allowed bypassing protection and gaining access to data that should not have been included in the model's response.
In Microsoft's test, a specially crafted prompt injection payload managed to bypass two protective layers and convince the assistant to read system files with secrets. This scenario is dangerous not only for individual developers but also for companies that are increasingly connecting AI agents to repositories, build pipelines, and internal tools.
Microsoft reported the information to Anthropic on April 29. The fix was released on May 5 in version 2.1.128 of Claude Code. Anthropic restricted the program's access to sensitive files in the /proc/ directory to prevent such data extraction. This case shows that automation in development requires not only convenient tools but also a strict security model: any text the agent reads can potentially become a command.