Technical description
Researchers from National University of Singapore and ByteDance published Heimdallr, a hybrid analysis framework that detects security risks introduced by LLM integrations in GitHub CI workflows. The study characterizes a new attack surface: externally controllable inputs (issue comments, pull requests) can shape LLM prompts and outputs, which in turn affect security decisions, repository state, or privileged execution. Heimdallr achieved 99.8% accuracy in triggerability classification and disclosed 802 vulnerable workflow instances across 759 repositories.
Attack vector
An attacker embeds crafted text into GitHub issue comments or pull request descriptions. When a CI workflow splices this text into an LLM prompt for code review, triage labeling, or automated merging decisions, the attacker can steer the model's reasoning, manipulate generated outputs, leak secrets via prompt injection, or trigger unintended privileged actions (e.g., auto-merging malicious code).
Affected systems
GitHub CI workflows that integrate LLMs for automation tasks such as issue triage, pull request review, content generation, or repository maintenance. The research team responsibly disclosed 802 vulnerable instances and received 71 acknowledgments.
Mitigation
Development teams should treat LLM outputs in CI workflows as untrusted data requiring validation before privileged actions. Implement strict input sanitization for externally controllable text, enforce human-in-the-loop approval for security-critical decisions, and audit LLM tool-use permissions to prevent agents from invoking privileged APIs. The Heimdallr framework is available for organizations to scan their own CI workflows.