What happened
Microsoft's Defender Security Research Team published on June 5 an analysis of a permission-model bypass in Anthropic's Claude Code GitHub Actions that allowed external contributors with no write access to trigger the workflow through a GitHub App trust bypass (any GitHub App actor was unconditionally trusted regardless of its actual permissions). Flatt Security researcher RyotaK independently disclosed on June 1 that a malicious GitHub issue could be used to feed untrusted input to the workflow, potentially injecting code into any repository using it — including Anthropic's own repositories. Anthropic patched the issue in Claude Code GitHub Actions v1.0.94.
Why it matters
This demonstrates that AI coding agents embedded in CI/CD pipelines inherit the blast radius of the pipeline itself — a compromised Claude Code GitHub Action had read/write access to code, issues, PRs, discussions, and workflow files, meaning a single bypass could propagate malicious code to all downstream repositories. With enterprises rapidly adopting AI coding agents in CI/CD, this pattern (privileged agent + indirect prompt injection via untrusted input channel) is now a confirmed, exploited-in-the-wild attack class.
Action needed
Any team using Claude Code GitHub Actions must upgrade to v1.0.94 or later immediately; review allowed_non_write_users settings and audit for unexpected GitHub App actors in CI/CD permissions; treat AI-agent permissions in CI/CD pipelines as equivalent in sensitivity to secrets and deploy the same least-privilege, audit-logged access patterns.