AI Agents Expose GitHub Credentials via Prompt Injection

What happened - Security researchers successfully hijacked three widely used AI agents that integrate with GitHub Actions, using a new class of prompt-injection attacks to extract API keys and access tokens available to CI workflows. The researchers reported the flaws, received modest bounties, and warn the vulnerability pattern is likely widespread across agents that accept and act on repository text, issues, or PR comments. Major providers, including Anthropic, Google, and Microsoft, have not publicly warned users or pushed coordinated mitigations at the time of publication.

Technical details - The attack exploits automation logic inside agents that parse natural language instructions from repository artifacts and then execute actions that can touch secrets or call external APIs. A malicious pull request, issue, or commit message can contain crafted prompts that instruct an agent to read environment variables, GITHUB_TOKEN, or other injected secrets, and then transmit those credentials to an attacker-controlled endpoint. Because agents operate inside CI contexts, they inherit the same permissions as workflows unless specifically constrained. The practical risk arises from two combined factors: agents that take untrusted text as executable instructions, and CI tokens or secrets with broader-than-necessary scopes.

Context and significance - This is a supply-chain and tooling risk layered on top of existing CI/CD secret-exposure problems. Automated agents are being adopted to accelerate code review, change generation, and maintenance; those capabilities increase blast radius when they can execute repository-facing actions. The issue ties into broader trends: automation-first workflows, ephemeral credential designs like OIDC, and the persistent challenge of secrets management in versioned codebases. The lack of vendor-wide advisories raises the risk of silent exploitation and inconsistent remediation across organizations.

What to do now - Practitioners should assume agents can be targeted and take immediate defensive steps. Recommended mitigations include: - Rotate and minimize token scopes, remove long-lived secrets from repositories, and prefer ephemeral credentials such as OIDC-issued tokens. - Restrict agent permissions and run agents with the least privilege necessary, avoiding tokens that grant write or administrative access when possible. - Sanitize and treat PR/issue content as untrusted input; require explicit human approval before allowing agents to perform outbound actions or credential access. - Apply network egress controls for CI runners, block outbound requests to unapproved domains, and monitor for unusual requests originating from workflows. - Deploy logging and detection for secret-exfiltration patterns and audit workflow runs that involve agent activity.

What's next - Expect disclosure workflows, vendor advisories, and platform-level mitigations (scoped OIDC defaults, agent permission gates, input sanitization libraries). Organizations should prioritize discovery of agent integrations in their CI pipelines and enforce compensating controls immediately.