A vulnerability in the Claude Code GitHub Action allowed for the hijacking of repositories.

      TL;DRA's flaw in Anthropic’s Claude Code GitHub Action allowed attackers to bypass permission checks using a counterfeit bot account and leverage prompt injection to obtain OIDC tokens, granting write access to any vulnerable repository. Anthropic addressed the issue within four days of its discovery.

      The attack begins with a GitHub issue that isn’t particularly sophisticated. A bot account opens an issue with a carefully crafted message resembling an error report. When Claude Code’s GitHub Action processes it, it follows the hidden instructions, accesses the process's environment variables, and posts them back into the issue for the attacker to retrieve.

      These variables hold the credentials necessary to request an OIDC token, which can be exchanged for a Claude GitHub App installation token that provides full write access to the repository’s code, issues, and workflows. If the attack is directed at Anthropic’s own claude-code-action repository—operating with the same vulnerable workflow—an attacker could corrupt the action that numerous downstream projects utilize.

      Security researcher RyotaK from GMO Flatt Security reported the vulnerability to Anthropic in January. The company resolved the core bypass within four days and implemented further safeguards throughout the spring. The fixes are included in claude-code-action v1.0.94. Anthropic assessed the issues at 7.8 according to CVSS v4.0 and issued a bounty of $4,800.

      How the bypass functioned

      Claude Code GitHub Actions automatically provides Claude with read and write access to a repository’s code, issues, pull requests, discussions, and workflow files. To restrict who can trigger those capabilities, the action verifies if the actor holds write access to the repository.

      The check had a vulnerability. It inherently trusted any actor with names ending in [bot], assuming that GitHub Apps are reliable tools installed by administrators. However, anyone can create a GitHub App, install it on a repository they control, and utilize its token to open an issue on any public repository. The action recognized the bot name and allowed the content to pass through. The agent mode lacked the additional human-actor verification that tag mode provided, leaving it entirely exposed.

      Once the attacker bypassed the gate, they used indirect prompt injection, embedding instructions within content that Claude interprets as data but executes as commands. RyotaK crafted a message disguised as an error recovery notification. Claude “recovered” by executing the commands hidden within, accessing /proc/self/environ despite Claude Code's internal safeguards against that specific action, and posting the values to the issue.

      A secondary method, no bot required

      RyotaK also discovered a simpler route that circumvented the bot tactic entirely. Anthropic’s own example issue-triage workflow came with the setting allowed_non_write_users: “*”, permitting anyone to trigger the action. Although Anthropic's documentation had already highlighted this as a risk, many repositories replicated the example and inherited this configuration.

      Compounding the problem, Claude was posting task summaries to the publicly visible summary panel of the workflow run, thereby creating an easy method for exfiltration. Another variant targeted race conditions: editing a trusted user’s issue after the workflow initiated but before Claude could read it would allow the malicious payload to appear as trusted input.

      Not a theoretical concern

      This same pattern—an AI issue triager paired with extensive permissions and prompt injection—has caused actual damage. In February, a prompt-injected issue title against Cline’s claude-code-action triage workflow enabled attackers to steal an npm publish token and release an unauthorized version of a package. This rogue version force-installed a separate AI agent named OpenClaw on around 4,000 developer systems within an eight-hour period before it was removed.

      An independent bot known as HackerBot-Claw subsequently spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, and CNCF projects. When it attempted to prompt-inject a Claude-based reviewer via a poisoned configuration file, Claude successfully detected it and declined the action. This is both reassuring and worrisome: the model's defenses are inconsistent enough that the same type of attack can sometimes succeed and sometimes fail.

      Fifty bypasses and counting

      RyotaK reports that he has identified around 50 different methods to bypass Claude Code’s permission system and execute commands. This finding is part of a broader surge of supply chain attacks targeting AI-powered developer tools, ranging from a compromised VS Code extension that infiltrated GitHub’s own repositories to malicious npm packages intended to capture credentials from AI coding assistants.

      The solution is simple: update to claude-code-action v1.0.94 or later, audit any workflows that permit non-write users or bots to trigger Claude, remove unnecessary secrets from the environment, and eliminate tools and permissions that could facilitate data exfiltration.

      The deeper issue is structural. Prompt injection remains an unresolved challenge. An AI agent equipped with real tools and tokens can be manipulated to the extent of its permissions, and the permissions most organizations