The attack starts with a GitHub issue. Not a sophisticated one. Just an issue opened by a bot account with a carefully worded body that looks like an error message. When Claude Code’s GitHub Action picks it up for triage, it follows the instructions hidden inside, reads the process’s environment variables, and writes them back into the issue for the attacker to collect.

Those variables contain the credentials needed to request an OIDC token, which can be exchanged for a Claude GitHub App installation token with full write access to the repository’s code, issues, and workflows. Aim the attack at Anthropic’s own claude-code-action repository, which ran the same vulnerable workflow, and you could poison the action that thousands of downstream projects pull.

Security researcher RyotaK of GMO Flatt Security reported the vulnerability to Anthropic in January. The company fixed the core bypass within four days, with additional hardening through the spring. The patches are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bounty of $4,800.

How the bypass worked

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Claude Code GitHub Actions gives Claude read and write access to a repository’s code, issues, pull requests, discussions, and workflow files by default. To limit who can trigger those capabilities, the action checks whether the actor has write access to the repository.

The check had a hole. It automatically trusted any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted tools installed by administrators. But anyone can register a GitHub App, install it on a repository they control, and use its token to open an issue on any public repository. The action saw a bot name and let the content through. Agent mode lacked the additional human-actor verification that tag mode performed, leaving it fully exposed.

Once past the gate, the attacker uses indirect prompt injection, planting instructions inside content that Claude reads as data but executes as commands. RyotaK crafted an issue body disguised as an error recovery message. Claude “recovered” by running the commands buried inside, reading /proc/self/environ despite Claude Code’s built-in guards against that exact operation, and posting the values to the issue.

A second path, no bot required

RyotaK also identified a softer route that bypassed the bot trick entirely. Anthropic’s own example issue-triage workflow shipped with the setting allowed_non_write_users: “*”, which permits anyone to trigger the action. Anthropic’s documentation already flagged this as risky, but many repositories copied the example and inherited the configuration.

Worse, Claude was posting task summaries to the workflow run’s publicly visible summary panel, creating a ready-made exfiltration channel. A third variant targeted race conditions: edit a trusted user’s issue after the workflow fires but before Claude reads it, and the malicious payload rides in as trusted input.

Not theoretical

The same pattern, an AI issue triager combined with broad permissions and prompt injection, has already caused real damage. In February, a prompt-injected issue title against Cline’s claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorised [email protected]. The rogue version force-installed a separate AI agent called OpenClaw on roughly 4,000 developer systems during an eight-hour window before being pulled.

An autonomous bot called HackerBot-Claw then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, and CNCF projects. When it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. That is both reassuring and concerning: the model’s defences are inconsistent enough that the same class of attack sometimes succeeds and sometimes fails.

Fifty bypasses and counting

RyotaK says he has now reported approximately 50 separate ways to bypass Claude Code’s permission system and execute commands. The finding is part of a broader wave of supply chain attacks targeting AI-powered developer tools, from the poisoned VS Code extension that breached GitHub’s own repositories to malicious npm packages designed to harvest credentials from AI coding assistants.

The remediation is straightforward: update to claude-code-action v1.0.94 or later, audit any workflow that allows non-write users or bots to trigger Claude, strip unnecessary secrets from the environment, and remove tools and permissions that could be used for exfiltration.

The deeper problem is structural. Prompt injection remains unsolved. An AI agent with real tools and real tokens can be pushed as far as its permissions allow, and the permissions most organisations grant by default are far broader than the attack surface they are prepared to defend.