Claude Code exposes OIDC tokens via GitHub Action flaw

Microsoft Threat Intelligence identified a prompt-injection vulnerability in Anthropic's Claude Code GitHub Action that could expose CI/CD workflow secrets, according to the Microsoft Security Blog. Security researcher RyotaK of GMO Flatt Security demonstrated an exploit using a fake bot actor and prompt injection to trick Claude into reading and exfiltrating environment variables from /proc/self/environ into a GitHub issue. Anthropic patched the flaw in claude-code-action v1.0.94, assigned a CVSS v4.0 score of 7.8, and paid a $4,800 bug bounty, per The Next Web and The Hacker News.

Claude Code exposes OIDC tokens via GitHub Action flaw Microsoft Threat Intelligence identified a prompt-injection pathway in Anthropic's Claude Code GitHub Action that could expose workflow secrets, according to the Microsoft Security Blog. Security researcher RyotaK of GMO Flatt Security published a technical disclosure showing an exploit that used a fake bot actor and prompt injection to coax claude into reading /proc/self/environ and writing environment values back into an issue, as reported by RyotaK and summarized by The Next Web and The Hacker News. Anthropic deployed fixes in claude-code-action v1.0.94 , assigned a 7.8 CVSS v4.0 rating, and paid a $4,800 bounty, per The Next Web and The Hacker News. The Cloud Security Alliance paper frames this as part of a broader class of AI-powered CI/CD prompt-injection risks that can lead to credential theft and supply-chain compromise. What happened Microsoft Threat Intelligence documented a prompt-injection pathway in Anthropic's Claude Code GitHub Action that could allow an attacker to access CI/CD workflow secrets, per the Microsoft Security Blog. Security researcher RyotaK of GMO Flatt Security published a technical writeup demonstrating an exploit path that used a repository-created bot actor plus carefully crafted issue text to bypass the action's trigger checks and induce Claude to read and exfiltrate environment variables from /proc/self/environ, as described in RyotaK's disclosure and reporting by The Next Web and The Hacker News. Anthropic released mitigations and updates in claude-code-action v1.0.94 , and according to The Next Web and The Hacker News the company rated the finding 7.8 under CVSS v4.0 and paid a $4,800 bug bounty. Editorial analysis - technical context The exploit chain combines two distinct failure modes observed across AI agents embedded in CI/CD. First, agent trigger checks that implicitly trust actors whose names end in " bot " allowed a malicious actor using a self-installed GitHub App to submit content that the action treated as a legitimate input, a behavior detailed by The Next Web and The Hacker News. Second, prompt-injection techniques convert attacker-controlled repository content into executable instructions for the agent. The attacker in RyotaK's case framed an issue body as an error-recovery narrative that led claude to surface environment variables into an issue body, per the published writeup and media coverage. The critical asset exposed in this chain is the OIDC-related environment data used to request workflow identity tokens and exchange them for installation tokens with repository write privileges, a step highlighted in The Next Web reporting. Industry context Cloud Security Alliance's rapid-research note places this incident in a larger pattern where AI coding agents processing untrusted repository inputs can hold elevated privileges and become direct exfiltration vectors; the CSA document names this class of attacks and references earlier supply-chain compromises to show precedent. The CSA report also documents the "Comment and Control" attack class and cites prior CVEs that affected third-party Actions and supply-chain integrity. Observers in reporting and the CSA paper underscore that AI tooling in automated workflows changes the threat model: untrusted text fields issues, PRs, comments are now potential command paths to privileged runtime state. What to watch - •Indicators of compromise and misconfiguration: automated workflow runs triggered by unverified "bot" actors, unexpected writes to issues or PRs containing environment-like output, and anomalous use of installation or OIDC tokens, as discussed in the RyotaK disclosure and media coverage. - •Patch adoption: updates to claude-code-action v1.0.94 and vendor hardening timelines summarized by The Next Web and The Hacker News. - •Third-party Action exposure: the Cloud Security Alliance paper notes that many workflows embed third-party actions; watchers should map downstream consumption to assess blast radius. For practitioners Industry experience and the CSA analysis indicate that AI agents in CI/CD introduce a new, high-value attack surface where content-parsing logic can be weaponized. Observers should treat untrusted repository fields as tainted input and verify workflow triggers and least-privilege token exchange patterns when integrating agentic tools into pipelines. Scoring Rationale This story documents a concrete exploit path that allowed OIDC token and credential theft via an AI agent embedded in CI/CD, with demonstrated repository takeover risk and an identified patch. The incident fits a broader supply-chain trend flagged by the Cloud Security Alliance and therefore has high operational relevance for practitioners. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems