무슨 일이 있었나
Anthropic의 PR/문제에 대해 Claude Code를 실행하는 공
왜 중요한가
This is a supply-chain-style attack on CI/CD-integrated AI coding agents: any public repository using claude-code-action to auto-review external PRs could have its CI environment (secrets, tokens) compromised simply by a malicious pull request supplying a poisoned MCP config.
공격 경로
The action checked out attacker-controlled PR head branches and read .mcp.json plus other configuration files from the working directory via default setting sources, then unconditionally executed Claude Code CLI in that checked-out directory — allowing a malicious PR to plant a poisoned .mcp.json that gets loaded and executed by the action.
영향받는 시스템
Claude Code Action (anthropics/claude-code-action) prior to 1.0.74
완화 방안
Upgrade to claude-code-action 1.0.74 or later, which restores trusted configuration from the PR's base branch before execution (restoreConfigFromBase). See GitHub commit 9ddce40de8c1ab71fb6303a125fdad0968dc1312.