VibeAudits
SecurityBlog Post

How One GitHub Issue Could Hijack Claude Code

A critical supply chain flaw in Claude Code GitHub Actions let attackers hijack repositories through a single issue.

June 2, 2026
1 min read
How One GitHub Issue Could Hijack Claude Code
Is your AI-built app exposed? Get a professional vibe coding audit and ship to production with confidence.

A security researcher recently showed that a single crafted GitHub issue could take over almost any repository running Anthropic's Claude Code GitHub Actions, including Anthropic's own. The finding, reported by RyotaK at GMO Flatt Security, is a textbook supply chain problem, and it lands squarely on the kind of AI automation more teams are wiring into their build pipelines every month.

What the flaw actually did

Claude Code GitHub Actions lets teams hand routine work to an AI agent: triaging issues, reviewing pull requests, writing code from a comment. To keep strangers from abusing that power, the workflow checks whether whoever triggered it has write access to the repository.

From a fake issue to a stolen repository

Getting in was only step one. The real damage came from prompt injection.

By writing an issue that looked like a broken error message, the attacker could trick Claude into "recovering" by running commands hidden in the text. Those commands read the workflow's environment variables, which included the credentials GitHub uses to mint short lived identity tokens. With those tokens, an attacker could request a privileged access token for the repository and start pushing code.

Because the Claude Code action repository used the same workflow on itself, the blast radius was enormous. Compromise that one repository, and every downstream project pulling the action inherits the poisoned code. That is the supply chain nightmare in one sentence: one weak link, thousands of victims.

How Anthropic closed it

Anthropic responded quickly and shipped fixes in Claude Code GitHub Actions v1.0.94. The patch stops GitHub Apps from silently triggering agent mode, adds a check that confirms a real human is behind the request, scrubs sensitive environment variables from the commands Claude runs, wraps shell tools so they cannot be twisted into data exfiltration, and ignores issues edited after a workflow starts. The vulnerabilities were rated 7.8 on the CVSS scale, and RyotaK received a $3,800 bounty plus a $1,000 bonus for the related bypasses.

Securing AI agents in your pipeline

Prompt injection is not a solved problem, and giving an AI agent write access to your code is the same as giving that access to whatever text the agent reads. If untrusted input can reach the model, untrusted input can reach your repository.

The convenience of an AI agent in your build process is real. So is the attack surface that comes with it.

VibeAudits

Security Experts

Worried your vibe-coded app has issues like this?

We run professional code audits for SaaS apps and AI features built with Cursor, Claude, Copilot, Lovable and Replit. We find the security and reliability problems before your customers (or attackers) do, then hand you a fix-ready report.