Microsoft: Claude Code GitHub Action prompt injection exposed CI/CD secrets and evaded GitHub secret scanning

Timeline

1. 2026-05-05

   Anthropic releases Claude Code v2.1.128 with /proc filesystem access restriction after responsible disclosure via HackerOne.

2. 2026-06-01

   Flatt Security publishes independent research: Poisoning Claude Code — One GitHub Issue to Break the Supply Chain.

3. 2026-06-02

   CybersecurityNews covers Flatt Security findings; The Hacker News reports on the vulnerability.

4. 2026-06-05

   Microsoft Security Blog publishes full research: Securing CI/CD in an agentic world — Claude Code GitHub Action case.

5. 2026-06-08

   CybersecurityNews and GBHackers cover the Microsoft research; Decrypt publishes analysis.

Technical breakdown

• Malicious payload hidden in HTML comments in GitHub issues — invisible to human reviewers in the rendered UI, fully visible to Claude reading raw markdown.
• Claude Read tool accessed /proc/self/environ — the Linux kernel file holding all process environment variables — with no authorization gate on filesystem paths outside the working directory.
• Credential strings were truncated (e.g., trim the first seven characters) before output, evading GitHub secret scanning pattern-matching on known credential formats.
• Exfiltration via gh CLI URL arguments: Claude passed the truncated secret as a URL path component routing traffic to an attacker-controlled server.
• Attack chain: malicious issue → prompt injection → Read /proc/self/environ → evade scanning → exfiltrate → attacker reconstructs full credential → repository/cloud compromise.