Quick Takeaways
- An attacker exploited a vulnerability in Anthropic’s Claude Code GitHub Action, enabling unauthorized code execution and potential compromise of downstream repositories through prompt injection and broad permission settings.
- The attack involved bypassing GitHub’s trust restrictions by using "bot" actors or editing trusted issues, leading to theft of GitHub Actions credentials and escalation to write access for malicious activities.
- Real-world supply chain attacks, including unauthorized npm package publishing and probing of organizations’ configurations, demonstrated the tangible impact of prompt injection flaws in AI automation workflows.
Threat Overview, Attack Techniques, and Targets
The threat involves a flaw in Anthropic’s Claude Code GitHub Action. An attacker can hijack public repositories that run this action using just one open GitHub issue. The attack exploits a weakness in the way the action checks who can trigger it. Specifically, the trigger check allows any actor with a name ending in "bot" to trigger the action. This is risky because anyone can register a GitHub App, install it on a repo, and open issues or pull requests in public repositories. The attacker used indirect prompt injection, planting malicious instructions in issues that Claude reads. This could lead Claude to reveal secrets stored in environment variables, including credentials used to request access tokens. These tokens can then be stolen and used to gain full control over repositories and workflows.
The targets are mostly public GitHub repositories that run the Claude Code action. Specifically, those with workflows that can be triggered by anyone or without strict access controls are at risk. The attack aims to take over repositories and inject malicious code or exfiltrate sensitive data through compromised permissions.
Impact, Security Implications, and Remediation Guidance
The vulnerability can lead to serious security issues. Attackers may steal access tokens, gain write permissions, and modify repository code or workflows. They could also inject malicious code that spreads to downstream projects. Furthermore, the flaw could result in data leaks, unauthorized code pushes, and general repository compromise.
Anthropic responded quickly by fixing the flaw in version 1.0.94 of the Claude Code Action. However, organizations using this action need to update immediately. It is also important to review workflows that allow untrusted triggers or broad permissions. If untrusted input is used, restrict secret data and remove any permissions that could allow data exfiltration.
However, specific remediation guidance should be obtained from the vendor or relevant security authorities. Users should consult official security advisories or the vendor’s documentation to ensure their environment is protected against similar threats.
Continue Your Tech Journey
Learn how the Internet of Things (IoT) is transforming everyday life.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
