On April 15, 2026, The Register reported that security researcher Aonan Guan had successfully hijacked AI agents from three separate companies — Anthropic, Google, and GitHub — using the same class of attack against each, paid quiet bug bounties from all three, and received no CVE assignments, no public advisories, and no disclosure of any kind to users running older versions of the affected tools.
The attack is called "comment and control." The name is a deliberate play on "command and control." And the fact that it affected Claude Code, Gemini CLI, and Copilot Agent simultaneously — all through GitHub's native infrastructure, with no external attack server required — makes it one of the cleaner illustrations of the security model problem in agentic AI that has existed for years and remains largely unsolved.
Indirect prompt injection is an attack class in which malicious instructions are embedded in content that an AI agent is designed to read and trust — not delivered by the user directly, but found inside documents, issue descriptions, pull request titles, code comments, or any other surface the agent parses during its task. Unlike direct prompt injection (which requires access to the system prompt), indirect injection exploits the agent's read surface: any data the agent ingests and treats as instruction context. In the GitHub Actions context, the attack surface is the entire repository event stream — PR titles, issue bodies, review comments — content that agents were built to consume and that developers rarely treat as a security boundary. Agentic governance at the content layer means intercepting and evaluating that content before the agent acts on it, not after the injected instruction has already executed.
What is the "comment and control" attack technique?
The attacks Guan demonstrated share a structure. An AI agent is assigned a task that requires reading GitHub content — a pull request to review, an issue to triage, a codebase to analyze. Inside that content, Guan embedded instructions the agent was not supposed to follow but did. The attack requires no special access, no compromise of the target infrastructure, and no external command server. The entire attack runs inside GitHub's normal workflow.
Each vendor's agent responded differently to the injection, but all three executed injected instructions:
Anthropic's Claude Code Security Review Action: Guan submitted a pull request and injected instructions directly in the PR title — for example, telling Claude to run the whoami command using its Bash tool and return the output as a "security finding." Claude executed the injected commands, embedded the shell output in its JSON response, and posted the result as a pull request comment. The agent's task was code security review. It was turned into a remote execution surface.
Google's Gemini CLI Action: Guan inserted a fake "trusted content section" after Gemini's legitimate additional content, using it to override Gemini's safety instructions. Gemini, following what it parsed as trusted instructions, published its own API key as an issue comment — credential exfiltration triggered entirely from a text string in a GitHub issue.
GitHub's Copilot Agent: Guan hid malicious instructions inside an HTML comment embedded in a GitHub issue. HTML comments are invisible in the rendered Markdown that human reviewers see. They are fully visible in the raw text that Copilot parses. When a developer assigned the issue to Copilot Agent, the bot followed the hidden instructions without question, exfiltrating an access token.
The common structure: each agent trusted the content it was built to read. None had a mechanism to distinguish legitimate task context from injected attacker instructions.
Why did three vendors pay quietly without filing CVEs?
Guan reported each vulnerability through the respective company's bug bounty programs. Anthropic paid $100. GitHub paid $500. Google paid an undisclosed amount. All three closed the reports and, according to reporting by The Register and The Next Web, none published a public security advisory or assigned a CVE identifier.
The consequence is architectural. A CVE triggers the vulnerability management infrastructure that enterprise security teams rely on: scanner updates, SBOM flags, automated alerts to security engineers when a component reaches a vulnerable version. Without a CVE, that infrastructure is blind. Security teams running older pinned versions of Claude Code's GitHub Action, Gemini CLI, or Copilot Agent have no notification mechanism. Their scanners see nothing. Their SBOMs don't flag the affected version. The attack surface remains open.
Guan was explicit about the concern, telling The Register: "I know for sure that some of the users are pinned to a vulnerable version. If they don't publish an advisory, those users may never know they are vulnerable — or under attack."
This is a governance failure at two levels simultaneously. The first is the expected level: agents that read untrusted content without evaluating it against a content policy. The second is less commonly discussed: even after the vulnerability was identified and disclosed, the vendors who build these agents applied no standard vulnerability governance process to their own products.
The companies that are building the agents your engineering teams are using do not have mature AI security disclosure postures. They patched their own tools. They didn't tell you.
Why does indirect prompt injection keep working?
Post-52 covered the CIS finding that enterprise prompt injection attacks increased 340% between Q1 2025 and Q1 2026. The Guan research explains part of why that number keeps climbing despite years of awareness: the problem is architectural, and the industry has not converged on a solution.
Indirect prompt injection persists for three structural reasons.
The trust model is inherited, not designed. Agents were built on LLMs that learned to follow instructions from all text in the context window. The model doesn't natively distinguish "this is the user's request" from "this is the content the user asked me to read." Applying that distinction requires either model-level fine-tuning (which vendors are doing, with partial success) or an external enforcement layer that evaluates content before the model ingests it. Most deployed agents have neither.
The attack surface expands with capability. Every integration an agent can access is an injection surface. Claude Code can read your codebase, execute shell commands, and query databases through MCP servers. When Guan's injected whoami ran, it ran inside the GitHub Actions runner with whatever permissions that runner held — which, in many enterprise CI/CD environments, is significant. A more sophisticated payload, using the same technique, could have done substantially more damage. The attack Guan demonstrated was proof-of-concept. The access rights it touched were not.
Patching doesn't close the class. The Copilot Studio prompt injection patched by Microsoft in January 2026 (CVE-2026-21520) closed that specific vector. It didn't close the class. The Gemini, Claude, and Copilot incidents disclosed April 15 are new instances of the same class. Each is a distinct vector that requires its own fix; the underlying capability — injecting instructions through content the agent reads — cannot be patched without changing the fundamental architecture of how agents parse their context. According to VentureBeat's reporting on OpenAI's own acknowledgment in late 2025: "Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully 'solved.'"
How does this affect enterprises running AI in CI/CD pipelines?
The GitHub Actions context is worth dwelling on because it's where a significant portion of enterprise AI agent deployment is happening right now. AI-powered code review, security scanning, dependency analysis, and automated triage are all running inside CI/CD pipelines, triggered by repository events, with access to codebases, secrets, and external services.
The attack surface in that context is the entire PR and issue stream. Any contributor to any repository where an AI action is installed — internal or external, depending on your access controls — can submit content that gets parsed by the agent. A malicious PR description, an issue comment, a code comment in a diff: all of these are vectors. None of them requires compromising any external system.
The question for enterprise security teams is not whether this is possible. Guan demonstrated that it is. The question is: do your AI agents have input validation policies that evaluate content before the model ingests it? Or do your agents inherit the trust model of the LLM beneath them — treating everything in the context window as instruction-eligible?
Most enterprise AI deployments, as of early 2026, are in the second category. The controlled inputs layer — the validation boundary between external content and the agent's reasoning context — is present in almost none of them.
What did the Anthropic prompt injection measurement actually reveal?
The Guan research arrived a few days after VentureBeat reported a separate but related story: Anthropic published internal prompt injection failure rates for Claude Opus 4.6 across four distinct agent surfaces. The headline number was compelling — 0% success rate across 200 injection attempts in a constrained coding environment — and it was used to argue that model-level defenses are improving.
Both things are true simultaneously. Claude Opus 4.6's prompt injection resistance in a constrained environment improved. And Claude's own GitHub Action was successfully hijacked via a PR title.
This is the most important takeaway from the Guan research for enterprise teams: model-level prompt injection resistance is measured in controlled conditions. Production agents operate in uncontrolled conditions — processing PR content submitted by arbitrary contributors, parsing issue descriptions from users who may have adversarial intent, reading documentation that can be modified by anyone with repository access. The 0% success rate in Anthropic's internal evaluation and the successful exfiltration via the Claude Code GitHub Action are not contradictory results. They're two measurements of different surfaces under different conditions.
Model-level defenses reduce the probability of successful injection. They do not eliminate the class. And they provide no protection for users on older versions of agent tooling that vendors chose not to disclose vulnerabilities in.
How Waxell handles this
How Waxell handles this: Waxell's input validation policies evaluate content before the agent acts on it — including content sourced from external systems, repositories, issue streams, or any surface the agent is built to read. A content policy that flags patterns consistent with injection attempts (instruction-like structures in data contexts, privilege escalation language, anomalous command directives) can block the agent from acting on injected content before execution, not after. Waxell's validated data interface layer provides a controlled boundary between external data sources and the agent's reasoning context — separating what the agent is allowed to act on from everything else it reads. Critically, this enforcement operates at the infrastructure layer: it is independent of the underlying model, independent of the agent framework, and independent of whether the agent vendor has patched the version you're running. The agent safety model applies the same policies regardless of what model version is deployed underneath. Governance that operates above the agent code doesn't depend on the agent code being current.
Frequently Asked Questions
What is the "comment and control" prompt injection attack?
Comment and control is an indirect prompt injection technique discovered by security researcher Aonan Guan in which malicious instructions are embedded in GitHub repository content — pull request titles, issue descriptions, issue comments, and HTML comments within Markdown — that AI agents are designed to read as part of their assigned task. The attacker doesn't need direct access to the agent's system prompt or configuration. They need the ability to create or comment on GitHub issues and PRs in a repository where an AI agent action is installed, which in many enterprise environments means any internal repository contributor. When the agent parses the malicious content, it follows the injected instructions without distinguishing them from legitimate task context.
Which AI agents were affected by the April 2026 GitHub prompt injection research?
Security researcher Aonan Guan demonstrated successful injection attacks against three agents: Anthropic's Claude Code Security Review GitHub Action (which executed shell commands and posted results as PR comments), Google's Gemini CLI Action (which published its own API key as an issue comment after injected instructions overrode safety settings), and GitHub's Copilot Agent (which followed hidden instructions embedded in HTML comments — invisible to human reviewers but parsed by the AI). All three vendors paid bug bounties after receiving the disclosure, but none published public security advisories or assigned CVE identifiers.
Why does it matter that no CVE was assigned for these AI agent vulnerabilities?
CVE identifiers are the trigger for enterprise vulnerability management infrastructure: scanner updates, SBOM flags, automated alerts, and patch prioritization workflows all depend on CVE assignment to function. Without a CVE, security teams running older pinned versions of affected agent tools have no automated notification mechanism. Their vulnerability scanners will not flag the affected version. Researcher Aonan Guan explicitly noted that users pinned to vulnerable versions may never know they are exposed. The absence of CVE disclosure is itself a governance failure: it leaves the downstream risk management burden entirely on enterprise users who have no way of knowing the risk exists.
Is prompt injection in AI agents a solved problem?
No. OpenAI acknowledged in late 2025, according to VentureBeat, that "prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully 'solved.'" Model-level defenses are improving: Anthropic reported a 0% injection success rate for Claude Opus 4.6 across 200 attempts in a constrained coding environment. But production agents operate in unconstrained environments — reading content from arbitrary contributors, processing untrusted data sources, and running with access to real systems and credentials. Model-level defenses reduce attack success rates in controlled conditions; they do not eliminate the class, and they do not protect users on older versions of agent tooling. Infrastructure-layer content policies provide defense that is independent of model version and vendor patch status.
What is the difference between direct and indirect prompt injection in AI agents?
Direct prompt injection inserts malicious instructions into the user's own input to the agent — the user directly attempts to override the system prompt. Indirect prompt injection embeds malicious instructions in content the agent is designed to read as part of its task: documents, web pages, repository data, issue comments, code files. Indirect injection is more dangerous in enterprise deployments because it requires no privileged access to the agent's configuration — only the ability to create content that the agent will eventually process. In the GitHub Actions context, indirect injection can be executed by any party with repository access, including external contributors to public-facing repositories.
What should enterprise security teams do about AI agents embedded in CI/CD pipelines?
Three immediate actions: First, audit what AI agent actions are installed in your GitHub organization and what repository content permissions they carry. Second, confirm whether those agents are on current versions and whether any unpatched vulnerabilities exist — since vendors may not have published advisories for known issues. Third, implement infrastructure-layer content policies that evaluate what external content enters agent context before the model processes it. Relying on model-level injection resistance alone is insufficient for production agent deployments where untrusted parties can influence the content agents process.
Sources
- The Register, Anthropic, Google, Microsoft paid AI bug bounties — quietly (April 15, 2026) — https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/
- The Next Web, Anthropic, Google, and Microsoft paid AI agent bug bounties, then kept quiet about the flaws (April 15, 2026) — https://thenextweb.com/news/ai-agents-hijacked-prompt-injection-bug-bounties-no-cve
- Cybernews, AI agents vulnerable to prompt injection via GitHub: But do vendors care? (April 2026) — https://cybernews.com/security/ai-agents-github-prompt-injection-pattern/
- VentureBeat, Anthropic published the prompt injection failure rates that enterprise security teams have been asking every vendor for (April 2026) — https://venturebeat.com/security/prompt-injection-measurable-security-metric-one-ai-developer-publishes-numbers
- VentureBeat, OpenAI admits prompt injection is here to stay as enterprises lag on defenses (December 26, 2025) — https://venturebeat.com/security/openai-admits-that-prompt-injection-is-here-to-stay
- VentureBeat, Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway (2026) — https://venturebeat.com/security/microsoft-salesforce-copilot-agentforce-prompt-injection-cve-agent-remediation-playbook
- CIS (Center for Internet Security), 340% increase in enterprise prompt injection attacks Q1 2025 – Q1 2026
Top comments (0)