Comment and Control: one prompt pattern hijacks Claude Code, Gemini CLI, and GitHub Copilot

One pull request title, three AI agents, every secret in the runner

A security researcher named Aonan Guan, working with two Johns Hopkins University researchers, has demonstrated that a single prompt injection pattern can hijack three of the most widely deployed AI coding agents on GitHub — Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent — and exfiltrate the host repository's API keys and access tokens.

The attack was disclosed publicly on April 15, 2026 and updated May 4, 2026 after Anthropic completed its remediation. It is the first public cross-vendor demonstration of a single prompt-injection pattern landing against three major AI agent vendors at once.

What happened

Guan calls the technique Comment and Control — a play on the command-and-control infrastructure that traditional malware needs. In this attack, the entire loop runs inside GitHub itself. The attacker writes a comment, the AI agent reads it, the agent executes the embedded instructions, and the agent commits or comments the stolen credentials back into GitHub where the attacker can retrieve them. No external server required.

The three confirmed findings:

• Claude Code Security Review — The PR title is interpolated directly into the agent's prompt with no sanitization. A malicious PR title instructs Claude to run whoami, ps auxeww, and env, then post the results as a "security finding" comment. The dump contains ANTHROPIC_API_KEY and GITHUB_TOKEN. Anthropic accepted the report at CVSS 9.4 Critical, paid a $100 bounty, and later downgraded the severity to None on April 20, 2026.
• Gemini CLI Action — An issue comment injects a fake "Trusted Content Section" that overrides Gemini's safety instructions. Gemini then posts GEMINI_API_KEY as a public issue comment. Google paid a $1,337 bounty through its VRP program.
• GitHub Copilot Agent — The payload hides inside an HTML comment that GitHub's rendered Markdown view does not display. A victim assigning the issue to Copilot sees only innocuous text. Copilot then executes ps auxeww | base64 -w0 and commits the encoded process environment as a file in a new PR — bypassing GitHub's environment filter, its secret scanner, and its network firewall in one chain. GitHub paid $500 after initially closing the report as informative.

Why this matters

Every defense layer that vendors built around these agents — model-level guardrails, prompt-level instructions, environment filtering, secret scanning, network allowlists — was bypassed in the same way: by using the agent's intended capabilities against it. The attacker did not exploit a parser bug. They put text into the field the agent is designed to read.

That is the structural problem. An AI agent in CI must process untrusted input (PR titles, issue bodies, comments) to do its job. The same agent must hold production secrets to do its job. Putting both in the same runtime means any prompt injection that lands becomes a credential leak. Guan's own analogy is the right one: this is phishing, but for machines.

By default GitHub Actions does not expose secrets to pull requests from forks. But the pull_request_target trigger does — and so does any workflow on issues or issue_comment events, which fire on input from any GitHub user. Repositories that wired up automatic AI review on those triggers shipped the vulnerability with them.

What to do about it

1. Audit which triggers your AI workflows run on. Any agent that runs on pull_request_target, issues, or issue_comment from untrusted contributors should be treated as exposed to prompt injection.
2. Allowlist tools, do not blocklist them. Anthropic's first patch blocked ps; cat /proc/*/environ achieves the same result. Pass --allowed-tools with only the commands the agent needs, and remove shell execution entirely from agents whose job does not require it.
3. Scope the secrets the workflow can see. Use fine-grained, short-lived tokens for the specific repository operation the agent performs. Do not hand a code-review agent a GITHUB_TOKEN with write access, and do not store organization-wide secrets in workflows that process external input.
4. Rotate any credentials the affected agents have touched. If you ran Claude Code Security Review, the Gemini CLI Action, or Copilot Agent on PRs or issues from outside contributors, treat the relevant API keys as potentially exposed and rotate them.
5. Inspect repository history for hidden HTML comments in Copilot-assigned issues. The Copilot variant is invisible in GitHub's rendered view but present in raw Markdown. Check issue source for <!-- --> blocks containing shell commands.

Bottom line

The same workflow data the agent must read is the workflow data the attacker controls. As long as AI agents in CI hold production secrets in the same runtime that processes pull requests and issues, Comment and Control will keep working — only the injection surface will change. Treat every coding agent like a contractor with shell access: need-to-know on secrets, least privilege on tools, and assume that any text it reads from the internet was written to deceive it.