Claude Code GitHub Action Flaw: Repo Hijack Risk

A critical flaw in the Claude Code GitHub Action allowed a single malicious issue submission to hijack repository access. The Claude Code GitHub Action vulnerability exposed CI/CD pipelines to full repository takeover through a technique researchers are calling prompt injection via issue content. If your workflows invoke Claude on user-supplied input, you need to read this carefully.

How the Claude Code GitHub Action Vulnerability Works

The flaw lives in how the Action processes GitHub issues. When a repository enables the Claude Code Action to respond to or triage issues automatically, the Action reads the issue body and passes it as context to the Claude model. An attacker submits an issue containing carefully crafted natural language instructions. Those instructions redirect Claude to execute unintended commands, such as modifying workflow files, exfiltrating secrets from the environment, or pushing malicious commits.

This is prompt injection at the CI/CD layer. The model has no reliable mechanism to distinguish between legitimate instructions from the repository owner and adversarial instructions embedded in user-submitted content. Because GitHub Actions can be granted write permissions to repositories, secrets access, and even deployment credentials, the blast radius is significant.

The attack chain is short. Submit issue. Action triggers. Claude reads injected payload. Attacker gains write access or worse.

What's Actually at Risk for Developers

Any repository using the Claude Code GitHub Action with default or elevated permissions is potentially exposed. The immediate risks include unauthorized code commits, secret exfiltration from GITHUB_TOKEN or stored environment variables, modification of workflow YAML files to create persistent backdoors, and lateral movement if the compromised token has organization-level scope.

Shared repositories in organizations are particularly vulnerable. One compromised repo with broad token permissions can become a pivot point into other repositories, package registries, or deployment infrastructure.

Fixing the Claude Code GitHub Action Flaw

Mitigation requires changes at multiple layers.

First, audit your workflow permissions. Set permissions: read-all as the default in your workflow files and grant write access only to specific jobs that genuinely require it. Remove broad contents: write grants from any workflow that invokes Claude on external input.

Second, never pass raw issue or PR content directly to AI model invocations without sanitization. Treat user-submitted content the same way you treat SQL input: it requires escaping and validation before it touches any execution context.

Third, pin the Claude Code Action to a specific commit SHA rather than a mutable tag. This prevents silent updates from introducing new behaviors.

Fourth, enable GitHub's built-in security features. Required reviewers on workflow changes, branch protection rules, and secret scanning all add friction to exploitation.

Fifth, run a full scan of your web-facing surfaces to identify any secondary attack vectors that could be used in combination with CI/CD compromise.

Anthropic has been notified. Check the official GitHub Actions security hardening guide for additional configuration recommendations while a patch is evaluated.

Detecting If You've Already Been Compromised

Review your repository's Actions run logs for unusual Claude outputs, particularly any runs triggered by recently opened issues. Look for unexpected commits, changes to .github/workflows/ files, or new deploy keys added to the repository settings. GitHub's audit log at the organization level will show permission changes and token usage that falls outside normal patterns.

Short of a full forensic review, assume any repository with this Action enabled and permissive workflow permissions should be treated as potentially compromised until verified clean.

FAQ

Does this affect all repositories using Claude Code GitHub Action? Any repository where the Action reads issue or PR content and has write permissions enabled is potentially vulnerable. Read-only invocations with restricted token scopes carry significantly lower risk.

Is this a bug in Claude itself or in the GitHub Action? The core issue is architectural. Prompt injection is not a model bug but a design problem in how untrusted user content is fed into an AI agent with privileged access to infrastructure.

How quickly can an attacker exploit this? The attack requires only submitting a single crafted GitHub issue. If the Action is configured to trigger automatically on issue creation, exploitation can happen in minutes with no further interaction required.

Run a full vulnerability scan on your repositories and web surfaces at VibeWShield.