What happened
Researchers injected prompts that caused coding agents to access and exfiltrate API keys and credentials available in the GitHub Actions environment through the agents' inherited permission scope.
2026-05-01
HighVendor postJohns Hopkins researchers exfiltrated API keys from Anthropic, Google, and Microsoft coding agents via GitHub Actions — all three vendors paid bug bounties
Johns Hopkins researchers demonstrated API key exfiltration from over-permissioned coding agents at Anthropic, Google, and Microsoft via GitHub Actions. All three paid bug bounties.
Claude Code (Anthropic) / Gemini (Google) / GitHub Copilot (Microsoft)Credential exposureOver-permissioned agent credential exfiltration via prompt injectionGitHub Actions workflows / coding agent tool contexts
Why it matters
API keys and credentials exfiltrated from production environments at Anthropic, Google, and Microsoft. Attack vector confirmed valid; bug bounties paid by all three vendors.
Missing authorization check
A Credential Gate that scopes each agent invocation to only the credentials its specific task requires. Agents should not inherit the operator's full credential environment — they should receive a bounded, task-scoped credential set with a signed receipt.
Would PP block it?
PP's Credential Gate requires a signed receipt naming which credentials an agent is authorized to access for a specific task. An agent attempting to read credentials outside its receipt scope is blocked at the tool layer. This is the exact control missing in all three affected systems: authentication existed (agents ran under valid credentials) but credential scope was not bounded to the task.
Incident analysis
Timeline and technical read
Timeline
2026-04
Johns Hopkins researchers discover over-permissioned agent credential exfiltration via GitHub Actions across major AI vendors.
2026-04
Responsible disclosure submitted to Anthropic, Google, and Microsoft.
2026-05
All three vendors pay bug bounties confirming the vulnerabilities are valid against production systems.
2026-05-07
Cequence AI publishes AI agent least-privilege access guide citing the JHU research as a confirmed case study.
Technical breakdown
- Coding agents inherit their operator's full credential environment by default — authentication (who the agent is) does not imply scoped authorization (what credentials the agent should access).
- A prompt injection attack in the GitHub Actions context directed agents to access and exfiltrate API keys that were present in the environment but not needed for the task.
- All three vendors' agents were vulnerable because the attack exploits a systemic design assumption: agents can freely access any credential their operator can access.
- Bug bounties from all three vendors confirm this was a production-level finding, not a synthetic lab environment.
- The fix requires enforcement at the tool invocation layer — least-privilege credential scoping per agent task, not per-operator credential scope.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Credential access at tool invocation layer within GitHub Actions and CI/CD contexts
- Still needs
- Model-level prompt injection prevention; this requires enforcement at the tool layer, not the model layer
- Receipt required for
- Every credential access by an agent: must name the specific secret, the task requiring it, and the authorized operator
A Credential Gate enforcing least-privilege scoping per agent invocation would prevent the exfiltration. The attack requires the agent to have access to credentials beyond its task scope — PP's credential gating closes this gap directly.
Related incidents and controls
High2026-03-30
OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens
Critical2026-04-19
App Host Vercel Says It Was Hacked and Customer Data Stolen
High2026-05-08
Claude Code OAuth tokens stolen via stealthy MCP man-in-the-middle hijacking
High2025-10-08
CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft
Start small
Put the relevant gate at this action boundary.
This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.