Technical description
Security researchers disclosed a class of prompt injection attacks — dubbed 'Comment and Control' — that hijack AI coding agents integrated with GitHub Actions. By embedding malicious instructions in PR titles, issue bodies, or issue comments (including hidden HTML comments invisible in rendered Markdown), attackers can redirect AI agents to exfiltrate API keys and access tokens. All three major AI coding agents — Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot — were confirmed vulnerable. Bug bounties were paid ($100 by Anthropic, $1,337 by Google) but none of the vendors assigned CVEs or published public security advisories, leaving users pinned to vulnerable versions without awareness.
Attack vector
An attacker with write access to a GitHub repository (or who can submit PRs) embeds prompt injection payloads in PR titles, issue bodies, or invisible HTML comments. When an AI coding agent processes the repository content as part of an automated workflow, it interprets the injected instructions and exfiltrates secrets (API keys, access tokens) to attacker-controlled locations such as public issue comments or external endpoints.
Affected systems
Anthropic Claude Code Security Review (GitHub Action), Google Gemini CLI Action, Microsoft GitHub Copilot Agent — all when operating in GitHub Actions automated workflows
Mitigation
Restrict AI agent workflow triggers to trusted contributors only. Audit GitHub Actions workflows for AI agent integrations and review what secrets are accessible to those runners. Monitor for anomalous issue comment creation by automated actors. Until official patches or advisories are published, consider disabling automated AI code review triggers on public or contributor-accessible repositories. Check the respective vendors' changelog and security documentation pages for updates.