{"id":4294,"date":"2026-06-10T15:13:26","date_gmt":"2026-06-10T15:13:26","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/10\/security-flaw-in-claude-code-illustrates-the-risk-of-ai-in-developer-workflows\/"},"modified":"2026-06-10T15:13:26","modified_gmt":"2026-06-10T15:13:26","slug":"security-flaw-in-claude-code-illustrates-the-risk-of-ai-in-developer-workflows","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/10\/security-flaw-in-claude-code-illustrates-the-risk-of-ai-in-developer-workflows\/","title":{"rendered":"Security Flaw in Claude Code Illustrates the Risk of AI in Developer Workflows"},"content":{"rendered":"<div><img data-opt-id=492100160  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/05\/AicodingSdlc-Large-e1778088519682.jpeg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=1096595839  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/05\/AicodingSdlc-Large-150x150.jpeg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p>A vulnerability in Anthropic\u2019s Claude Code development tool could have been exploited by threat actors to expose credentials and other secrets within <a href=\"https:\/\/devops.com\/cyber-threats-to-devops-platforms-rising-fast-gitprotect-report-finds\/\" target=\"_blank\" rel=\"noopener\">CI\/CD workflows<\/a>, the latest example of the <a href=\"https:\/\/devops.com\/critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable\/\" target=\"_blank\" rel=\"noopener\">security risks to software development pipelines<\/a> posed by such AI coding agents.<\/p>\n<p>Microsoft security researchers Dor Edry and Amit Eliahu <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/05\/securing-ci-cd-in-agentic-world-claude-code-github-action-case\/\" target=\"_blank\" rel=\"noopener\">wrote in a report<\/a> that the now-patched flaw in Claude Code GitHub Action could have been manipulated through a prompt injection attack in which the bad actor inserts malicious commands that an AI agent would follow, exposing secrets such as issue bodies, pull request descriptions, and comments.<\/p>\n<p>This form of a prompt injection attack \u2013 an indirect prompt injection \u2013 is a fast-emerging threat.<\/p>\n<p>\u201cRight now,\u00a0Indirect Prompt Injection (IPI)\u00a0is a top priority for the security community, anticipating it as a primary attack vector for adversaries to target and compromise AI agents,\u201d Google security researchers <a href=\"https:\/\/blog.google\/security\/prompt-injections-web\/\" target=\"_blank\" rel=\"noopener\">wrote in April<\/a>. \u201cUnlike a direct injection where a user \u2018jailbreaks\u2019 a chatbot, IPI occurs when an AI system processes content \u2013 like a website, email, or document \u2013 that contains malicious instructions. When the AI reads this poisoned content, it may silently follow the attacker\u2019s commands instead of the user\u2019s original intent.\u201d<\/p>\n<p>In this case, Edry and Eliahu wrote that they were tracking \u201cattempts in public repositories using AI-assisted GitHub workflows across multiple vendors, where attacker-controlled issue or PR [pull request] content is processed by the AI agent and could influence its tool use.\u201d<\/p>\n<h3>AI Changes the GitHub Model<\/h3>\n<p>GitHub Actions is the repository\u2019s automation and CI\/CD platform. Workflows that run through it can include a range of sensitive data, from issue and pull request metadata to cloud credentials to third-party API keys. Such workflows weren\u2019t designed with agentic AI in mind.<\/p>\n<p>\u201cGitHub workflows were built for deterministic automation: run tests, build artifacts, deploy code, label issues, or enforce repository policy,\u201d the researchers wrote. \u201cAI-powered workflows change that model. Instead of only executing predefined logic, they ingest repository context, interpret natural-language input, and decide which actions to take next.\u201d<\/p>\n<p>With Claude Code, the threat comes when the bad actor hides the prompt injection attack in GitHub, such as GitHub pull requests, comments, or issues. The AI agent will see the malicious prompt as legitimate commands and follow the instructions, allowing the attacker access to files that contain the sensitive data.<\/p>\n<p>A key flaw in Claude Code Action was that while subprocess execution paths like Bash were isolated in a sandbox environment, the same was not true for the Read tool.<\/p>\n<p>\u201cRather than routing Read operations through the same secure isolation boundary as Bash, these operations represent direct, in-process calls,\u201d Edry and Eliahu wrote. \u201cThey inherently bypass the Bubblewrap sandbox, operating with full access to the process\u2019s environment variables.\u201d<\/p>\n<h3>Test Proves the Threat<\/h3>\n<p>The researchers successfully ran a test prompt injection payload through Claude Code Actions, noting that it was able to evade two defense layers: Claude\u2019s safety and system-prompt refusal layer and GitHub\u2019s Secret Scanner. The malicious prompt invoked the Read tool and returned an API key. This wouldn\u2019t have happened if the Read tool had been protected in the same subprocess that Bash was, they wrote.<\/p>\n<p>Microsoft reported the flaw to Anthropic in late April, and the AI vendor mitigated the issue in Claude Code 2.1.128 by having the Read tool unconditionally reject several files in <em>\/proc\/\u00a0<\/em>in order to protect those files from exfiltration.<\/p>\n<h3>Natural Language as Executable Code<\/h3>\n<p>Edry and Eliahu said defenders and developers need to understand the security risks that AI agents raise within the development environment. Integrating AI into GitHub Actions doesn\u2019t just improve productivity, they wrote, adding that \u201cit is a fundamental rewrite of the CI\/CD security model. Right now, development is moving faster than defense.\u201d<\/p>\n<p>\u201cWe are entering an era where natural language is executable code, and untrusted inputs like GitHub issues must be treated as hostile by default,\u201d the researchers wrote. \u201cA single, carefully crafted comment combined with a misunderstood trust boundary is all it takes to walk away with production credentials.\u201d<\/p>\n<p>Anthropic has run into other security issues regarding Claude Code, including <a href=\"https:\/\/devops.com\/security-flaws-in-anthropics-claude-code-risk-stolen-data-system-takeover\/\" target=\"_blank\" rel=\"noopener\">three critical vulnerabilities<\/a> late last year that could have led to system takeover or stolen API keys, and a leak in March of more than <a href=\"https:\/\/securityboulevard.com\/2026\/04\/anthropic-claude-code-leak\/\" target=\"_blank\" rel=\"noopener\">510,000 lines of source code<\/a> in 1,906 files.<\/p>\n<p><a href=\"https:\/\/devops.com\/security-flaw-in-claude-code-illustrates-the-risk-of-ai-in-developer-workflows\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>A vulnerability in Anthropic\u2019s Claude Code development tool could have been exploited by threat actors to expose credentials and other [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4295,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4294","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4294"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4294\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4295"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}