AIToday

Researchers exposed security flaw in Claude, Gemini, and GitHub Copilot—a single malicious text prompt lets attackers steal API keys

VentureBeat AIApr 21, 20263 min read
Researchers exposed security flaw in Claude, Gemini, and GitHub Copilot—a single malicious text prompt lets attackers steal API keys

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  1. Researcher Aonan Guan and colleagues at Johns Hopkins University discovered that three AI coding assistants—Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot Agent—all leaked their own API keys when given a prompt injection (hidden malicious instruction hidden in a GitHub pull request title). The flaw required no external hacking tools or infrastructure.

  2. The vulnerability exploits how GitHub Actions works: when workflows use the pull_request_target setting (which AI agents need to access secrets like API keys), those secrets become exposed to anyone who can comment on a pull request or modify the PR title. Attackers don't need to be repository owners—collaborators or even external users on open-source projects can trigger it.

  3. If you use GitHub Copilot, Claude, or Gemini as coding assistants in your development workflow, any malicious contributor or external person commenting on a pull request in your repo could potentially steal your API keys and use them to impersonate your services, access your data, or run up cloud costs. Teams using these agents in pull request automation should review their GitHub Actions configurations immediately.

  4. Anthropic's own documentation (system card) had already predicted this exact attack type before the public disclosure—suggesting the company was aware of the risk category but the vulnerability still shipped. GitHub and Google have not yet announced patches as of publication.

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →