Microsoft Discovered a Critical Secret-Leaking Vulnerability in the Popular AI Coding Assistant Claude Code

07.06.2026 2 minutes Author: Newsman

Microsoft researchers have discovered a security flaw in Anthropic’s Claude Code GitHub Action that could potentially expose sensitive data stored in CI/CD environments. Under certain conditions, attackers could exploit prompt injection techniques to trick the AI assistant into revealing API keys, access tokens, and other confidential credentials.

The investigation began after Microsoft Threat Intelligence observed attempts to use AI-powered tools to introduce malicious changes into public GitHub repositories. Researchers became particularly interested in GitHub workflows that relied on AI assistants for automation.

Prompt injection is one of the most common attack techniques targeting large language models. In this type of attack, malicious instructions are hidden inside content processed by the AI model. As a result, the system can be tricked into ignoring its original rules and carrying out actions that were never intended by its developers.

In one example, the malicious instructions were concealed within an HTML comment. While the content remained invisible to users viewing the GitHub page, the AI model could still see it when processing the raw markup. The targeted repository used GitHub Actions to automatically handle issues and tasks, creating an opportunity for exploitation.

According to the researchers, an attacker would not need permission to modify the project directly. Simply submitting a specially crafted request or message could be enough to trick the AI bot into performing unintended and potentially dangerous actions.

During the investigation, Microsoft tested whether the same technique could be used against Anthropic’s Claude Code GitHub Action. The company found that while some tools, including Bash, were already running inside a sandboxed environment, the Read tool, which is responsible for accessing files, was not protected by the same security restrictions.

To validate the vulnerability, the researchers created a proof-of-concept payload. During testing, it successfully bypassed two layers of protection and persuaded the AI assistant to access a system file containing API keys and other sensitive credentials.

Microsoft reported the issue to Anthropic on April 29. The company responded quickly and released a fix on May 5 in Claude Code version 2.1.128. The update blocks access to sensitive files within the /proc/ directory, preventing this attack path from being used to leak confidential data.

The incident serves as another reminder that AI tools are becoming deeply integrated into modern software development workflows. As their capabilities expand, even minor security weaknesses in their design can create significant risks for enterprise environments.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.