Microsoft — Claude Code GitHub Action Exposes CI/CD Secrets via /proc/self/environ
AI relevance: CI/CD agents that read untrusted GitHub content while holding privileged access create systemic secret-exfiltration risk — a single crafted PR comment can leak API keys to attackers.
- Microsoft Threat Intelligence researchers demonstrated that Claude Code's GitHub Action (pre-v2.1.128) could be manipulated into leaking its ANTHROPIC_API_KEY via a crafted pull request comment.
- The attack exploits indirect prompt injection: PR titles, issue bodies, and comments are attacker-controlled text that lands in the model's context window as if they were legitimate instructions.
- Claude Code Action ships with robust Bash sandboxing (Bubblewrap namespace isolation, scrubbed environment variables) — but the Read tool was not held to the same standard.
- Researchers got the agent to read
/proc/self/environ, the file that exposes a running process's full environment including secrets wired in by the CI runner. - One file read, no shell execution required — the sandbox built to stop command injection simply did not apply to the tool that performed the leak.
- Anthropic shipped a fix in Claude Code 2.1.128 (released May 5, 2026) that blocks access to sensitive
/procfiles, closing this specific hole. - The vulnerability mirrors the same architectural pattern that enabled the Mexican government breach: an agent holding untrusted input and privileged access in the same breath.
- Any CI/CD agent wired to read untrusted GitHub content while sitting next to real credentials is the same trap with a different lock — the pattern persists across vendors.
Why it matters
GitHub Actions and similar CI/CD pipelines are increasingly delegating code review, issue triage, and PR analysis to AI agents. These agents operate with elevated privileges (API keys, deployment tokens, cloud credentials) while ingesting attacker-controlled content from public repositories. The Claude Code Action vulnerability demonstrates that sandboxing shell execution is insufficient — file-read capabilities can bypass perimeter defenses and exfiltrate secrets directly.
What to do
- Update Claude Code to v2.1.128 or later immediately if you use the GitHub Action in repositories accepting outside contributions.
- Audit any CI/CD agent that reads untrusted content (PRs, issues, comments) and ensure file-read tools are sandboxed with the same rigor as shell execution.
- Block access to
/proc/self/environand other sensitive procfs paths in agent execution environments. - Rotate API keys and secrets exposed to CI/CD agents regularly, and assume compromise if untrusted content was processed before patching.
- Consider using ephemeral credentials or short-lived tokens for CI/CD agent workflows to limit blast radius.
Sources: