Johns Hopkins researchers steal API keys from Claude Code, Gemini CLI, and GitHub Copilot via PR title prompt injection — all three vendors paid bug bounties quietly

Timeline

1. 2025-10

   Aonan Guan (Johns Hopkins) submits initial prompt injection finding against Claude Code Security Review to Anthropic via HackerOne

2. 2025-11

   Anthropic pays $100 bug bounty, upgrades severity from CVSS 9.3 to 9.4; updates documentation with security warning; no CVE assigned, no public advisory

3. 2026-Q1

   Guan extends attack to Google Gemini CLI Action and Microsoft GitHub Copilot — both vulnerable, both pay bug bounties without advisories

4. 2026-04-15

   The Register publishes exclusive interview with Guan; research published at oddguan.com

5. 2026-04-16

   Secondary coverage by GBHackers, Winbuzzer confirms silent-patching pattern and ongoing exposure for pinned-version users

Technical breakdown

• Attack vector: PR title injection — all three affected agents read GitHub data (PR titles, issue bodies, comments) as trusted task context, making them hijackable by any PR author with repo access
• All three agents share the same vulnerable data flow: read GitHub data → process as task context → execute tool calls with full Actions runner permissions
• Post-exfiltration cleanup: attacker changes PR title back to innocuous text ('fix typo'), closes PR, deletes bot's review comment — leaves minimal forensic trace
• Credentials exposed include GITHUB_TOKEN, ANTHROPIC_API_KEY, and any cloud provider secrets available to the Actions runner environment
• Guan estimates the pattern extends to all agents integrating with GitHub Actions — Slack bots, Jira agents, deployment automation — not only the three confirmed affected vendors