Microsoft — Claude Code GitHub Action Exposes CI/CD Secrets via /proc/self/environ

AI relevance: CI/CD agents that read untrusted GitHub content while holding privileged access create systemic secret-exfiltration risk — a single crafted PR comment can leak API keys to attackers.

  • Microsoft Threat Intelligence researchers demonstrated that Claude Code's GitHub Action (pre-v2.1.128) could be manipulated into leaking its ANTHROPIC_API_KEY via a crafted pull request comment.
  • The attack exploits indirect prompt injection: PR titles, issue bodies, and comments are attacker-controlled text that lands in the model's context window as if they were legitimate instructions.
  • Claude Code Action ships with robust Bash sandboxing (Bubblewrap namespace isolation, scrubbed environment variables) — but the Read tool was not held to the same standard.
  • Researchers got the agent to read /proc/self/environ, the file that exposes a running process's full environment including secrets wired in by the CI runner.
  • One file read, no shell execution required — the sandbox built to stop command injection simply did not apply to the tool that performed the leak.
  • Anthropic shipped a fix in Claude Code 2.1.128 (released May 5, 2026) that blocks access to sensitive /proc files, closing this specific hole.
  • The vulnerability mirrors the same architectural pattern that enabled the Mexican government breach: an agent holding untrusted input and privileged access in the same breath.
  • Any CI/CD agent wired to read untrusted GitHub content while sitting next to real credentials is the same trap with a different lock — the pattern persists across vendors.

Why it matters

GitHub Actions and similar CI/CD pipelines are increasingly delegating code review, issue triage, and PR analysis to AI agents. These agents operate with elevated privileges (API keys, deployment tokens, cloud credentials) while ingesting attacker-controlled content from public repositories. The Claude Code Action vulnerability demonstrates that sandboxing shell execution is insufficient — file-read capabilities can bypass perimeter defenses and exfiltrate secrets directly.

What to do

  • Update Claude Code to v2.1.128 or later immediately if you use the GitHub Action in repositories accepting outside contributions.
  • Audit any CI/CD agent that reads untrusted content (PRs, issues, comments) and ensure file-read tools are sandboxed with the same rigor as shell execution.
  • Block access to /proc/self/environ and other sensitive procfs paths in agent execution environments.
  • Rotate API keys and secrets exposed to CI/CD agents regularly, and assume compromise if untrusted content was processed before patching.
  • Consider using ephemeral credentials or short-lived tokens for CI/CD agent workflows to limit blast radius.

Sources: