Forensic Summary
Microsoft Threat Intelligence disclosed a vulnerability in Anthropic's Claude Code GitHub Action whereby prompt injection via untrusted GitHub content — issue bodies, PR descriptions, and comments — could cause the AI agent to read sensitive environment variables, including the ANTHROPIC_API_KEY, from /proc/self/environ. The flaw stemmed from inconsistent sandboxing: while subprocess execution paths like Bash were scrubbed of environment variables, the Read tool had no equivalent restriction. Anthropic patched the issue in Claude Code version 2.1.128 by blocking access to sensitive /proc filesystem paths.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/claude-code-github-action-leaked-ci-cd-secrets-via-prompt-injection/
Top comments (0)