Microsoft Reports Claude Code GitHub Action Credential Leak

Microsoft Threat Intelligence published a security blog post on June 5, 2026 describing a vulnerability in Anthropic's Claude Code GitHub Action that could expose CI/CD workflow secrets when the agent ingests attacker-controlled GitHub content. Microsoft wrote that the action's Read tool was not subject to the same sandboxing as its Bash subprocess, and that the Read tool was authorized to access /proc/self/environ, allowing it to read the workflow's ANTHROPIC_API_KEY and potentially other credentials available to the runner. Microsoft also reported that, "Following our responsible disclosure, Anthropic mitigated this issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files." (Microsoft security blog)

Editorial analysis - technical context: Public reporting identifies this incident as a specific instance of prompt injection against agentic tooling that processes raw repository content. The Microsoft blog demonstrates an attack pattern where attacker-supplied text in issue bodies, PR descriptions, or comments is treated as trusted context and can influence the agent's tool use. The Cloud Security Alliance (CSA) research note published April 17, 2026 names the broader class "Comment and Control" and documents how AI agents from Anthropic, Google, and Microsoft can be induced to exfiltrate secrets. The CSA lists confirmed exfiltration targets including ANTHROPIC_API_KEY, GITHUB_TOKEN, GEMINI_API_KEY, GITHUB_COPILOT_API_TOKEN, and GITHUB_PERSONAL_ACCESS_TOKEN (CSA research note).

• •Prompt injection hidden inside an HTML comment in an issue body, as shown in Microsoft's writeup.
• •Cross-site scripting style payloads embedded in issue/PR content, per Microsoft and CSA descriptions.
• •Dedicated PRs or comments crafted to trigger agent tool use, as cataloged by the CSA.

Multiple independent reports converge on the same operational risk: agentic code assistants that can run tools, read files, or post back to GitHub expand attacker surface area beyond traditional CI/CD tools. The CSA research note documents coordinated disclosure of vulnerabilities affecting three major vendor agents and reports that vendors paid small bug bounties but did not issue CVEs or broad notifications. Checkmarx commentary likewise frames Claude Code as an agent whose file access and command execution capabilities create new security requirements beyond classical IDE assistants. For practitioners, the key implication is that ingesting untrusted repository text into an automated agent that also has access to secrets, file-read tools, or outbound channels materially raises exfiltration risk.

Editorial analysis: Observers should track three categories of indicators: vendor advisories and patch versions (Microsoft attributed mitigation to version 2.1.128 for Claude Code), whether vendors publish CVEs and coordinated disclosures, and CI/CD configurations that grant agents broad runner-level environment access or repository secrets. Organizations running GitHub Actions that invoke AI agents should review which secrets are provisioned to runners and how agent tooling is sandboxed. Public research and vendor advisories will also clarify whether mitigations are defensive workarounds or architectural changes to agent tooling.

For practitioners: This reporting highlights that agentic integrations combine text processing and privileged runtime capabilities, creating an exfiltration path that standard static scanners may miss. Defense-in-depth controls, least-privilege provisioning for runner secrets, explicit sandboxing of file-read tools, and treating any untrusted PR/issue text as hostile input are consistent hardening steps described across the Microsoft blog, CSA note, and vendor guidance summarized by security firms.