What happened
Researchers from Virginia Tech, AI Security Company London, and the University of Texas published 'GitInject' (arXiv 2606.09935, submitted June 7, 2026) — an open-source framework that provisions live GitHub repositories and triggers actual CI/CD workflow runs to evaluate prompt injection. Testing Claude Code Action, Codex Action, and Gemini CLI Action across four AI providers, they documented 11 named attacks including config-file injection, credential exfiltration, judgment manipulation, and availability attacks; every provider was vulnerable to at least one attack class in its default configuration.
Why it matters
The research demonstrates that AI CI/CD agents operate with the 'lethal trifecta' (access to private data, untrusted content ingestion, external communication) and that config-file injection — where an attacker adds a CLAUDE.md or AGENTS.md to a PR branch — is the most dangerous vector because the agent loads it as authoritative operator-level instruction before PR content. This is the first systematic real-environment (not simulated) study of AI CI/CD security, establishing minimum-cost countermeasures and providing reusable tooling for defenders.
Action needed
Security teams should run GitInject against their own AI-powered CI/CD workflows immediately; at minimum, restrict which branches can load CLAUDE.md/AGENTS.md files and enforce read-only GITHUB_TOKEN permissions for PR events from fork contributors.