Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
Microsoft's threat researchers built a trap and watched it spring. They wired Anthropic's Claude Code GitHub Action, an AI assistant that reads code-review requests and acts on them, into a test repository, then opened an issue containing hidden instructions. The assistant followed them. It found the file where the build system keeps its secrets, read out a live Anthropic API key, and disguised that key well enough to slip past two separate security checks. No password was cracked. No software bug in the traditional sense was triggered. The attacker just wrote a comment.
The finding, published on June 5, 2026, matters because of where this assistant lives. It runs inside the pipeline that builds and ships your software, surrounded by the credentials that pipeline needs to do its job. Teach that pipeline to take orders from strangers, and a single sentence becomes a way in.
The setup is now common. Many teams plug an AI agent into GitHub Actions (GitHub's built-in automation, which runs jobs whenever someone opens an issue, leaves a comment, or files a pull request) so it can triage bug reports or review code. Anthropic's Claude Code Action is one such agent. It reads the issue or pull request, including text written by people outside the team, and decides what to do next. That openness is the whole point of the tool. It is also the whole problem.
Anthropic had anticipated the danger and locked down the agent's command-running tool, sealing it inside a sandbox that strips secrets out of the environment before any command runs. Microsoft Threat Intelligence found the gap: the agent's separate file-reading tool was never put behind the same wall. So the researchers planted a prompt injection (instructions hidden inside content the AI reads, which the model then obeys as if they were its own commands) inside a GitHub issue. To get past the model's refusal instinct, they dressed the request up as a routine compliance review and told it to trim the first seven characters off whatever it found. That small edit did real work. It stripped the telltale sk-ant- prefix from the API key, so neither Claude's safety filter nor GitHub's secret scanner recognised what was leaving the building. The file-reading tool then opened /proc/self/environ, the system file that holds a running program's environment variables, and there sat the unprotected key.
The patched key is the smallest part of this. The concrete loss in the demonstration was one API key, but the same build runner routinely holds the credentials that would let an intruder act in your name: the GitHub token, cloud access keys, the token that publishes your packages to the world. Reach those, and a poisoned comment stops being a prank and becomes a supply-chain compromise that ships to everyone who installs your software. Here is what changes for your team. If you have connected any AI agent to a workflow that outsiders can trigger, then every issue, every pull request, and every comment is now untrusted input running inches from your secrets. The deeper shift is worth raising in your next engineering review. CI/CD pipelines (the continuous integration and delivery systems that automatically test and release code) were built to run fixed, predictable scripts, and an AI agent breaks that assumption because it treats plain English as an instruction. Natural language has quietly become executable code, and most pipelines were never designed to defend against a paragraph.
The attack worked not because the AI misbehaved but because it did exactly what it was told, by the wrong person. That is the uncomfortable lesson to carry into the next security meeting. Once you let an agent act on text that anyone on the internet can write, you have to treat every comment as a potential command. The convenience of an assistant that reads your issues and fixes your code is real, and so is the fact that it reads an attacker's issue with exactly the same trust. One question is worth asking before the next AI tool gets wired into your pipeline. If a stranger's comment can reach our build secrets, what in our setup stops it from walking out with them?


