RyotaK — Claude Code GitHub Actions Supply Chain Compromise via Permission Bypass

AI relevance: A permission bypass in Anthropic's official CI/CD GitHub Action lets an unauthenticated attacker chain prompt injection, OIDC token theft, and MCP tool abuse to push backdoored code into Anthropic's own repository — a textbook agentic supply chain compromise that impacts every downstream user.

• Security researcher RyotaK (GMO Flatt Security) disclosed a critical vulnerability in anthropics/claude-code-action, patched in v1.0.94.
• The checkWritePermissions function unconditionally trusted any actor with a name ending in [bot], regardless of actual repository permissions — a flawed trust assumption about GitHub App bot identity.
• Attack chain: create a malicious GitHub App → install on attacker repo → use its installation token to open an issue/PR on the target repo → the bot-named actor bypasses the permission check → workflow processes attacker-controlled content.
• The agent mode (distinct from tag mode) lacked a checkHumanActor safeguard, allowing the bypass to proceed unchallenged.
• Once inside the workflow, a crafted issue description with a fake error message triggers prompt injection — Claude Code permits commands like cat and head without explicit user approval.
• Attacker reads /proc/self/environ to steal ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL — credentials for requesting GitHub Actions OIDC tokens.
• These OIDC tokens are exchanged for privileged Claude GitHub App installation tokens via Anthropic's backend, giving write access to repository contents, issues, PRs, and workflows.
• The mcp__github__update_issue MCP tool in Anthropic's own triage workflow was then abused to write stolen secrets into a public issue for exfiltration.
• Most severe: the anthropics/claude-code-action repository itself used a vulnerable agent-mode workflow. A successful exploit allows injecting malicious code directly into the action's source — propagating to every downstream repository.
• Second attack path: RyotaK also found a misconfiguration in Anthropic's example workflows using allowed_non_write_users: "*". Combined with issues: write and id-token: write permissions across two workflows, an attacker can chain them to steal a GITHUB_TOKEN via publicly visible workflow run summaries, then escalate to full repo compromise without the GitHub App bypass.
• The full attack chain spans seven steps from rogue GitHub App creation to backdoored code propagation — a complete agentic supply chain compromise.

Why it matters

This is a real-world demonstration of Microsoft's newly catalogued "Agentic Supply Chain Compromise" failure mode — natural-language attack surfaces (prompt injection) combined with CI/CD infrastructure to achieve code-level supply chain compromise. Any organization using Claude Code GitHub Actions should audit immediately.

What to do

• Update anthropics/claude-code-action to v1.0.94+ immediately.
• Pin action versions to specific SHA commits rather than mutable tags.
• Review allowed_non_write_users settings in all AI-agent workflows — never set to wildcard.
• Audit workflow permission boundaries: avoid combining issues: write with id-token: write in the same workflow unless strictly necessary.
• Treat AI agent CI/CD workflows as high-value targets in your threat model — they have access to both secrets and the ability to execute arbitrary natural-language instructions.

Sources

• CyberSecurityNews — Claude Code's GitHub Actions Vulnerability Lets Attackers Compromise Any Repository
• GMO Flatt Security — Poisoning Claude Code: One GitHub Issue to Break the Supply Chain
• anthropics/claude-code-action (GitHub)