{"slug": "microsoft-reports-claude-code-github-action-credential-leak", "title": "Microsoft Reports Claude Code GitHub Action Credential Leak", "summary": "Microsoft Threat Intelligence reported on June 5, 2026 that Anthropic's Claude Code GitHub Action could expose CI/CD workflow secrets when the agent processed untrusted GitHub content, as the Read tool was not sandboxed and could access /proc/self/environ to obtain the workflow's ANTHROPIC_API_KEY. Anthropic mitigated the issue in version 2.1.128 by blocking access to sensitive /proc files, while the Cloud Security Alliance separately identified a related \"Comment and Control\" attack class that can exfiltrate tokens from multiple vendors' agents.", "body_md": "# Microsoft Reports Claude Code GitHub Action Credential Leak\n\nMicrosoft Threat Intelligence reported that Anthropic's **Claude Code GitHub Action** could expose CI/CD workflow secrets when the agent processed untrusted GitHub content, according to a Microsoft security blog post published June 5, 2026. Microsoft wrote that the agent's Read tool was not sandboxed like its subprocess execution paths, and that it was able to read **/proc/self/environ** and obtain the workflow's ANTHROPIC_API_KEY; Microsoft added that Anthropic mitigated the issue in **version 2.1.128** by blocking access to sensitive /proc files. Separate disclosure by the Cloud Security Alliance and security researchers identified a related attack class called \"Comment and Control\" that can exfiltrate tokens from multiple vendors' agents, and the CSA reported vendors accepted small bug bounties but did not assign CVEs.\n\n### What happened\n\nMicrosoft Threat Intelligence published a security blog post on June 5, 2026 describing a vulnerability in **Anthropic's Claude Code GitHub Action** that could expose CI/CD workflow secrets when the agent ingests attacker-controlled GitHub content. Microsoft wrote that the action's Read tool was not subject to the same sandboxing as its Bash subprocess, and that the Read tool was authorized to access **/proc/self/environ**, allowing it to read the workflow's ANTHROPIC_API_KEY and potentially other credentials available to the runner. Microsoft also reported that, \"Following our responsible disclosure, Anthropic mitigated this issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files.\" (Microsoft security blog)\n\n### Technical details\n\nEditorial analysis - technical context: Public reporting identifies this incident as a specific instance of prompt injection against agentic tooling that processes raw repository content. The Microsoft blog demonstrates an attack pattern where attacker-supplied text in issue bodies, PR descriptions, or comments is treated as trusted context and can influence the agent's tool use. The Cloud Security Alliance (CSA) research note published April 17, 2026 names the broader class \"Comment and Control\" and documents how AI agents from Anthropic, Google, and Microsoft can be induced to exfiltrate secrets. The CSA lists confirmed exfiltration targets including ANTHROPIC_API_KEY, GITHUB_TOKEN, GEMINI_API_KEY, GITHUB_COPILOT_API_TOKEN, and GITHUB_PERSONAL_ACCESS_TOKEN (CSA research note).\n\n### Observed attack vectors (reported)\n\n- •Prompt injection hidden inside an HTML comment in an issue body, as shown in Microsoft's writeup.\n- •Cross-site scripting style payloads embedded in issue/PR content, per Microsoft and CSA descriptions.\n- •Dedicated PRs or comments crafted to trigger agent tool use, as cataloged by the CSA.\n\n### Context and significance\n\nMultiple independent reports converge on the same operational risk: agentic code assistants that can run tools, read files, or post back to GitHub expand attacker surface area beyond traditional CI/CD tools. The CSA research note documents coordinated disclosure of vulnerabilities affecting three major vendor agents and reports that vendors paid small bug bounties but did not issue CVEs or broad notifications. Checkmarx commentary likewise frames **Claude Code** as an agent whose file access and command execution capabilities create new security requirements beyond classical IDE assistants. For practitioners, the key implication is that ingesting untrusted repository text into an automated agent that also has access to secrets, file-read tools, or outbound channels materially raises exfiltration risk.\n\n### What to watch\n\nEditorial analysis: Observers should track three categories of indicators: vendor advisories and patch versions (Microsoft attributed mitigation to **version 2.1.128** for Claude Code), whether vendors publish CVEs and coordinated disclosures, and CI/CD configurations that grant agents broad runner-level environment access or repository secrets. Organizations running GitHub Actions that invoke AI agents should review which secrets are provisioned to runners and how agent tooling is sandboxed. Public research and vendor advisories will also clarify whether mitigations are defensive workarounds or architectural changes to agent tooling.\n\n### Practical takeaway for teams\n\nFor practitioners: This reporting highlights that agentic integrations combine text processing and privileged runtime capabilities, creating an exfiltration path that standard static scanners may miss. Defense-in-depth controls, least-privilege provisioning for runner secrets, explicit sandboxing of file-read tools, and treating any untrusted PR/issue text as hostile input are consistent hardening steps described across the Microsoft blog, CSA note, and vendor guidance summarized by security firms.\n\n## Scoring Rationale\n\nThis story exposes a high-impact class of supply-chain and CI/CD risks that affect multiple major vendor agents and can leak repository and API tokens. It matters to engineers managing pipelines, security teams, and anyone deploying agentic workflows.\n\nPractice interview problems based on real data\n\n1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.\n\n[Try 250 free problems](/problems)", "url": "https://wpnews.pro/news/microsoft-reports-claude-code-github-action-credential-leak", "canonical_source": "https://letsdatascience.com/news/microsoft-reports-claude-code-github-action-credential-leak-2a9237c0", "published_at": "2026-06-06 19:21:09.576898+00:00", "updated_at": "2026-06-06 19:21:12.637474+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-products", "ai-tools"], "entities": ["Microsoft", "Anthropic", "Claude Code GitHub Action", "Cloud Security Alliance", "Microsoft Threat Intelligence"], "alternates": {"html": "https://wpnews.pro/news/microsoft-reports-claude-code-github-action-credential-leak", "markdown": "https://wpnews.pro/news/microsoft-reports-claude-code-github-action-credential-leak.md", "text": "https://wpnews.pro/news/microsoft-reports-claude-code-github-action-credential-leak.txt", "jsonld": "https://wpnews.pro/news/microsoft-reports-claude-code-github-action-credential-leak.jsonld"}}