AI Agents Leak Secrets via GitHub Actions

Researchers from Johns Hopkins demonstrated a prompt-injection pattern that can hijack AI agents running in GitHub Actions, exfiltrate API keys and access tokens, and pwn workflows. They successfully exploited three widely used integrations: Claude Code Security Review (Anthropic), Gemini CLI Action (Google), and GitHub Copilot (Microsoft). The researchers disclosed the issues and received small bug bounties, but none of the vendors published CVEs or public advisories, leaving many users unaware and potentially pinned to vulnerable versions.

The attack leverages how agents ingest repository context, including pull request titles, issue bodies, and comments, then synthesize instructions and take actions. By embedding malicious instructions in those text fields, the researchers forced agents to reveal secrets or call external endpoints with tokens attached. Key technical attributes:

• •Agents run inside GitHub Actions with access to repository context and secrets, forming the core attack surface.
• •The injection relies on prompt context blending developer-controlled text with agent decision logic, bypassing naive input filtering.
• •Exfiltration paths include API key disclosure in responses, outbound network calls, and committing tokens to repository artifacts.

This is not a bug confined to one vendor, it is a pattern tied to how modern agents are architected: ingest wide context, reason, and act. The finding highlights that agent integrations which automatically parse and act on user-generated repo content magnify traditional prompt-injection risks into secrets-exposure risks. Because vendors did not assign CVEs or issue public advisories, operators running older or pinned action versions may never learn they are exposed. This elevates the problem from theoretical prompt injection to operational security risk across CI/CD, chatops, and automation agents.

Practitioners should immediately assume exposure for agent-enabled workflows that have access to secrets. Recommended steps: rotate high-value tokens, audit GitHub Actions permissions and secrets scope, restrict the agent's network egress, pin to audited action versions, and add content sanitization or whitelisting before feeding repository text to an agent. Vendors should assign CVEs, publish advisories, and provide hardened action configurations.

Expect additional disclosures and proof-of-concept variants, and watch for vendor advisories, CVE assignments, and patched action releases. The broader question is how to redesign agent trust boundaries so repository text cannot silently become an exfiltration vector.