Miggo Security — Anthropic, Google, Microsoft Paid Bug Bounties for AI Agent Hijacks, No CVEs Issued

AI relevance: Three major AI vendors accepted and paid for proof-of-concept prompt injection attacks that stole API keys and tokens from their GitHub Actions agent integrations — but none issued CVEs or public advisories, leaving users on pinned versions unknowingly exposed.

What happened

• Researcher Aonan Guan (Miggo Security) demonstrated indirect prompt injection attacks against three AI agent integrations with GitHub Actions: Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub's Copilot Agent.
• Anthropic (Claude Code Security Review): A crafted PR title containing a prompt injection payload caused Claude to execute embedded commands and leak the Anthropic API key, GitHub tokens, and other runner secrets as a PR comment. Severity upgraded from 9.3 to 9.4; bounty: $100. No CVE, no advisory.
• Google (Gemini CLI Action): A fake "trusted content section" injected after legitimate content in a GitHub issue overrode Gemini's safety instructions, causing it to publish its own API key as an issue comment. Bounty amount undisclosed. No CVE.
• GitHub (Copilot Agent): Malicious instructions hidden inside an HTML comment in a GitHub issue — invisible to humans in rendered Markdown, but fully parsed by the AI agent. When a developer assigned the issue to Copilot Agent, the bot followed the hidden instructions. GitHub initially called it a "known issue" it "could not reproduce," later paid $500. No CVE.
• All three attacks exploit the same fundamental gap: AI agents ingest PR/issue content as task context without distinguishing between legitimate data and injected instructions.

Why it matters

Without CVEs or public advisories, vulnerability scanners can't flag the issue, security teams can't track it, and users pinned to vulnerable versions will never learn they're at risk. This establishes a dangerous precedent: if prompt injection bugs in production AI agents are resolved privately with small bounties and no public disclosure, the entire AI agent ecosystem operates without the transparency that traditional software security depends on. The $100 bounty for a CVSS 9.4 credential exfiltration from Anthropic's own security review tool is particularly striking.

What to do

• If you use any of these GitHub Actions AI integrations, ensure you're running the latest version regardless of whether a CVE was published.
• Implement PR/issue content sanitization before feeding it to AI agents — strip HTML comments, limit context length, and treat untrusted content as data only.
• Advocate within your organization for public disclosure norms for AI security findings — private bounties without CVEs create blind spots.
• Security teams: add prompt injection to your AI agent threat models and test your own CI/CD AI integrations for similar attack patterns.

Sources

• TheNextWeb — Anthropic, Google, and Microsoft paid AI agent bug bounties, then kept quiet about the flaws
• The Register — Claude, Gemini, Copilot agents hijacked via prompt injection