Comment and Control: a GitHub comment hijacks Claude Code in CI

A security researcher showed that a GitHub PR title, issue body, or comment could become a prompt injection that hijacks Claude Code (and Gemini CLI, and GitHub Copilot) running in GitHub Actions, then makes it dump the workflow's secrets. Anthropic rated its variant CVSS 9.4 Critical.

There is no malware and no GitHub bug. The agent simply reads attacker-controlled text and runs tools with the secrets sitting next to it. Here is how the chain works, why it cannot be fixed inside the agent, and the tool-call rules that stop the exfiltration the moment it is attempted.

What happened

In a coordinated disclosure dubbed "Comment and Control", security researcher Aonan Guan, with Johns Hopkins researchers Zhengyu Liu and Gavin Zhong, showed the same attack pattern against three of the most widely deployed AI coding agents in CI: Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub's Copilot Agent. All three were confirmed and fixed by their vendors. Anthropic rated the Claude Code variant CVSS 9.4 Critical.

The setup is the part that should worry you: it needs nothing privileged. Anyone who can comment on a public repo, open an issue, or file a PR can deliver the payload. The agent does the rest, because reading that comment is its job.