Security researchers just demonstrated that the three most popular AI coding agents on GitHub can be tricked into handing over API keys, access tokens, and any secret stored in the runner environment. Anthropic, Google, and Microsoft all paid bug bounties. None of them told their users.

The attack is devastatingly simple. Researcher Aonan Guan, working with a team from Johns Hopkins University, discovered that Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent all share the same fatal design flaw: they read GitHub data like pull request titles, issue bodies, and comments as part of their task context. Inject malicious instructions into that data, and you own the agent.

Guan calls the technique "comment and control" prompt injection. No external infrastructure needed. The entire attack runs inside GitHub. The attacker writes a poisoned pull request title, the AI agent reads it, executes the injected commands, and posts the stolen credentials right there in the PR comments. Then the attacker changes the title back to something innocent and deletes the evidence.

All Three Fell. All Three Paid. None of Them Warned Users.

With Claude Code, Guan submitted a pull request with malicious instructions in the title telling Claude to execute the whoami command and return the results as a "security finding." Claude did exactly that. When Anthropic asked if he could also steal API keys and GitHub tokens, he demonstrated that too. Anthropic paid a $100 bounty, bumped the severity to 9.4, and updated a documentation page. No CVE. No public advisory.

Google Gemini fell to the same technique with an extra twist: the researchers injected a fake "trusted content section" that overrode Gemini's safety instructions and tricked the agent into publishing its own API key as an issue comment. Google paid $1,337.

GitHub Copilot was the hardest target. Microsoft added three runtime security layers on top of model-level defenses: environment filtering, secret scanning, and a network firewall. "I bypassed all of them," Guan told The Register. The trick: injecting malicious instructions inside an HTML comment that GitHub's rendered Markdown makes invisible to humans. The victim assigns the issue to Copilot, never seeing the hidden payload. GitHub initially called it a "known issue" they "were unable to reproduce" before paying a $500 bounty in March.

The Real Problem: Silence

Here is what makes this genuinely dangerous: none of the three companies assigned CVEs or published public advisories. That matters because developers who pinned their GitHub Actions to vulnerable versions have no way of knowing they are exposed. "If they don't publish an advisory, those users may never know they are vulnerable, or under attack," Guan said.

And the attack surface extends well beyond these three agents. Guan believes the vulnerability likely works on any AI agent that integrates with GitHub Actions and has access to tools and secrets: Slack bots, Jira agents, email agents, deployment automation agents. The entire agentic AI ecosystem running on GitHub is potentially exposed.

The Takeaway

The AI industry is racing to give agents more access to more systems. The security model for that access is fundamentally broken. Prompt injection is not a new problem, but the stakes are different when the agent has your API keys, your GitHub tokens, and access to every secret in your CI/CD pipeline. Anthropic got a 9.4 severity rating on this and responded with a documentation update. Google paid $1,337 and moved on. Microsoft called it a known issue.

If you are running any of these agents in your GitHub workflows, update immediately and audit your secrets. If you are running agents you built yourself, assume they have the same vulnerability until proven otherwise. The researchers published their findings on Thursday. The companies never did.

First reported by The Register.