Claude Code Flaw Exposes Repositories to Compromise

Security reporting from Flatt.tech and GBHackers disclosed a critical supply-chain vulnerability in Anthropic's Claude Code GitHub Actions integration that could be triggered by a crafted GitHub issue, pull request title, or comment (Flatt.tech; GBHackers). Tenable's advisory describes a concrete exploit chain in which the action checks out the pull request head branch when running in a PR context, making the working directory attacker-controlled, and then loads project/local/user settings that can include a malicious .mcp.json file (Tenable). Tenable states that the action unconditionally set enableAllProjectMcpServers to true in user settings, which allowed an attacker-defined MCP server to be started automatically, producing arbitrary command execution on the runner with access to workflow secrets (Tenable). Flatt.tech demonstrates that these conditions could be combined with a permission validation bypass to ingest untrusted input and exfiltrate secrets, including OpenID Connect token request credentials used by GitHub Actions (Flatt.tech; GBHackers).

Tenable's advisory documents the root technical elements it observed: the action checking out PR head branches, settingsSource: ["user","project","local"] allowing attacker-supplied configuration to be loaded, and enableAllProjectMcpServers being enabled by default, which together enabled an attacker to start an MCP server from repository-controlled files and execute arbitrary commands in the runner context with access to secrets (Tenable). Flatt.tech and GBHackers add that default example workflow settings such as allowed_non_write_users: * expanded the attack surface by permitting external contributors to trigger workflows that run with read/write and workflow-file permissions (Flatt.tech; GBHackers). SecurityWeek's research frames these vulnerabilities as instances of a broader prompt-injection pattern named "Comment and Control," where untrusted GitHub content is used to bypass AI-agent guardrails and obtain credentials or execute commands (SecurityWeek).

Editorial analysis - technical context:

AI-driven automation and agentic workflows that ingest repository content and run in the same runtime as production secrets create a high-risk combination when input validation and permission scoping are weak. Observers have documented similar prompt-injection and agent escape patterns across multiple tools, where malicious PR metadata or hidden comments can be processed as prompts and lead to secret exposure or remote code execution (SecurityWeek). For practitioners, the technical lesson is that workflow checkouts, configuration loading order, and default flags that enable remote servers or tooling should be treated as high-risk primitives when combined with untrusted inputs.

• •Audit for workflows that checkout PR head branches and for actions that load project- or local-scoped settings without explicit approval.
• •Look for default or example settings such as allowed_non_write_users: * or flags like enableAllProjectMcpServers that grant broad execution capability from untrusted inputs.
• •Review workflow run logs and recent PR/issue activity for unusual comments or injected payloads; Flatt.tech recommends scanning for evidence of secret access or anomalous runner commands (Flatt.tech).
• •Track upstream action updates: Flatt.tech reports a patch in Claude Code GitHub Actions v1.0.94 and Tenable reports a fix in claude-code-action 1.0.78; corroborate which release applies to your pinned action version before upgrading (Flatt.tech; Tenable).

Observed patterns in similar incidents:

Supply-chain compromises in CI/CD tooling often escalate quickly because trust is transitive: a vulnerable action used by many repositories can convert a single malicious contribution into a broad downstream compromise. Industry reporting shows this pattern recurring across different AI automation tools, reinforcing the need for conservative permission defaults and explicit approval gates when loading repository-provided configuration (SecurityWeek; Flatt.tech).