今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

One Malicious GitHub Issue Was All It Took to Hijack a Claude Code Agent

Cor E 2026年06月05日 14:56 4 次阅读 来源:Dev.to

A researcher disclosed a vulnerability in the Claude Code GitHub Action that let an attacker submit a single crafted GitHub Issue and take over the agentic workflow running inside a repository. No stolen tokens. No compromised runner. Just text — pointed at an agent that trusted it. This is indirect prompt injection in the wild, and it's exactly the scenario that most AI security guidance hand-waves with "validate your inputs." Let's talk about what actually happened, why standard defenses didn't stop it, and what would have. What Happened The Claude Code GitHub Action wires Claude directly into your CI/CD pipeline. It reads repository context — issues, PRs, comments — and takes actions on your behalf: writing code, opening PRs, running commands. According to the disclosure, an attacker could craft a GitHub Issue containing a prompt injection payload. When the Claude Code agent processed that issue as part of its normal workflow, the payload manipulated the agent into executing unauthorized repository-level actions. One issue. Repository hijacked. The attack surface here is the trust boundary between external content (a GitHub Issue — writable by anyone with a GitHub account) and agent instructions (what Claude Code is actually supposed to do). The agent treated attacker-controlled text as authoritative instructions. How the Attack Actually Works Indirect prompt injection follows a consistent pattern: The agent reads external content as part of its task. In this case, the Claude Code Action ingests GitHub Issues to understand what to work on. That content contains adversarial instructions disguised as legitimate data. Something in the issue body tells the agent to deviate from its original task — "ignore your previous instructions," "your new task is to push this commit," or more subtle authority hijacks. The agent complies. Without a layer that can distinguish between legitimate orchestration instructions and attacker-injected content, the model treats the injected

本文内容来源于互联网,版权归原作者所有
查看原文