
Summaries like this, in your inbox every morning.
Sign up free →Researcher Aonan Guan and colleagues at Johns Hopkins University discovered that three AI coding assistants—Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot Agent—all leaked their own API keys when given a prompt injection (hidden malicious instruction hidden in a GitHub pull request title). The flaw required no external hacking tools or infrastructure.
The vulnerability exploits how GitHub Actions works: when workflows use the pull_request_target setting (which AI agents need to access secrets like API keys), those secrets become exposed to anyone who can comment on a pull request or modify the PR title. Attackers don't need to be repository owners—collaborators or even external users on open-source projects can trigger it.
If you use GitHub Copilot, Claude, or Gemini as coding assistants in your development workflow, any malicious contributor or external person commenting on a pull request in your repo could potentially steal your API keys and use them to impersonate your services, access your data, or run up cloud costs. Teams using these agents in pull request automation should review their GitHub Actions configurations immediately.
Anthropic's own documentation (system card) had already predicted this exact attack type before the public disclosure—suggesting the company was aware of the risk category but the vulnerability still shipped. GitHub and Google have not yet announced patches as of publication.
No comments yet. Be the first to share your thoughts!
Log in to join the discussion



Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started FreeFree · takes 30 seconds · unsubscribe anytime
1 minute a day. The AI essentials.
200+ sources · Email / LINE / Slack