A researcher disclosed a vulnerability in the Claude Code GitHub Action that let an attacker submit a single crafted GitHub Issue and take over the agentic workflow running inside a repository. No stolen tokens. No compromised runner. Just text — pointed at an agent that trusted it.
This is indirect prompt injection in the wild, and it's exactly the scenario that most AI security guidance hand-waves with "validate your inputs."
Let's talk about what actually happened, why standard defenses didn't stop it, and what would have.
What Happened
The Claude Code GitHub Action wires Claude directly into your CI/CD pipeline. It reads repository context — issues, PRs, comments — and takes actions on your behalf: writing code, opening PRs, running commands.
