On June 5, 2026, GMO Flatt Security published research — “Poisoning Claude Code: One GitHub Issue to Break the Supply Chain” — showing that Anthropic’s official Claude Code GitHub Action (anthropics/claude-code-action) could be hijacked by a single malicious issue filed against any public repository that used it. Microsoft’s security team published a parallel analysis the same day. Anthropic fixed the chain in claude-code-action v1.0.94, and the researcher rated it CVSS v4.0 7.8. No in-the-wild exploitation has been reported, but the bug is a clean template for an agentic-CI/CD supply chain attack, so anyone running the action should update now.

Two bugs, one chain

Part 1 — permission bypass. The action gated privileged work behind a checkWritePermissions function that was supposed to confirm the triggering user actually had write access. Instead it unconditionally trusted any actor whose login ended in [bot]. Because GitHub Apps have implicit read access to every public repository and can open issues or pull requests anywhere using only an installation token, an attacker could file an issue that the workflow saw as coming from a “bot” — sailing past the permission check without holding any access to the target repo.

Part 2 — prompt injection. With the gate bypassed, the attacker controls the issue body the agent reads. A fake error message embedded in the issue tricks Claude Code into executing attacker-supplied shell commands — a textbook prompt injection. Claude Code auto-approves a set of “safe” Bash commands without human confirmation, and that was enough: the injected commands read /proc/self/environ, the Linux pseudo-file that exposes every environment variable handed to the workflow process.

Why reading /proc/self/environ is game over

Those environment variables include ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL — the credentials a workflow uses to mint GitHub OIDC tokens. Exfiltrate those and you can request OIDC identity tokens as the workflow itself, alongside whatever other secrets (GITHUB_TOKEN, cloud keys, registry credentials) the job exposed. The workflow run-summary feature made exfiltration easier still, rendering attacker-controlled output back into the Actions UI.

The supply chain angle is the dangerous part. If the targeted workflow carried write scope, an attacker could commit poisoned code straight into the action’s own source — and every downstream repository depending on that action would pull the malicious version on its next run. That is the same blast radius as the tj-actions and actions-cool/issues-helper compromises, except the entry point is an LLM reading an issue rather than a stolen token.

A class of bug, not a one-off

SecurityWeek noted the same comment- and issue-based prompt-injection pattern reaches other agentic CI tools, including Gemini CLI and GitHub Copilot’s coding agent. The shared failure mode: an autonomous agent with shell access treats untrusted issue, PR, and comment text from public repositories as trusted instructions. As agents move deeper into CI/CD, the issue tracker becomes an unauthenticated command channel.

What to do now

  • Update anthropics/claude-code-action to v1.0.94 or later. The fix adds a checkHumanActor check to agent mode, disables the run-summary section by default, scrubs environment variables from child processes, and wraps gh in a restricted command shim.
  • Pin the action to a full-length commit SHA, not a floating tag, so a future tag-repoint can’t silently swap the code under you.
  • Don’t trigger agentic workflows on issues, issue_comment, or pull_request_target events from public repos without an explicit human-actor or write-permission gate.
  • Apply least privilege: set permissions: to the minimum, avoid id-token: write unless the job genuinely needs OIDC, and keep long-lived cloud credentials out of agent jobs.
  • Audit past runs for unexpected /proc/self/environ reads or anomalous gh and git activity on agent-enabled workflows.

Anthropic’s release notes for v1.0.94 and the GMO Flatt and Microsoft write-ups carry the full technical detail and indicators.

References