一覧へ戻る

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories - The Hacker News

要約

重要ポイント

  1. GitHub Actionの脆弱性:Anthropicの「Claude Code GitHub Action」に、1つのGitHub Issueを開くだけで悪意のあるコードを注入できる脆弱性が見つかった。
  2. トリガー検出の欠陥:GitHub Appsの「[bot]」という名前を持つアクターを信頼する設定が、任意のユーザーが悪意のIssueを投稿できる状況を生み出した。
  3. プロンプトインジェクションの利用:攻撃者はAIに誤った指示を注入し、Linuxの環境変数ファイルに保存されたGitHub Actionsの認証情報を抽出する手法を用いた。
  4. 修正の実施:2026年1月に報告され、4日以内に修正(バージョン1.0.94)が実施された。また、CVSS v4.0で7.8の評価を受け、バグボーナスが支払われた。
  5. 実際の被害事例:2026年2月に同様の手法でnpmの公開トークンが盗まれ、偽のライブラリが配布された事例がある。

流れのまとめ

Anthropicが提供する「Claude Code GitHub Action」に、GitHub Issueの投稿を介してリポジトリを乗っ取る可能性のある脆弱性が発見された。この脆弱性は、GitHub Appsの「[bot]」という名前を持つアクターを自動的に信頼する設定と、プロンプトインジェクション技術を組み合わせて悪用可能だった。攻撃者は、Linuxの環境変数ファイルからGitHub Actionsの認証情報を抽出し、悪意のコードをリポジトリに注入する攻撃を実行した。この問題は2026年1月に報告され、4日以内に修正が実施されたが、同様の手法による実際の被害事例(npmトークンの盗難)も確認されている。

この人物を追う上での意味

Claude Codeの開発者であるAnthropicは、AIを活用したコード関連のツールの開発に注力しており、そのセキュリティの脆弱性はAI技術の信頼性や、開発プロセスへの影響に直接関係する。今回の脆弱性の発見と修正の経緯は、AIを活用したツールのセキュリティ設計における課題を浮き彫りにしている。また、プロンプトインジェクションを含むAIのセキュリティリスクは今後も継続的に議論されるべきであり、Anthropicの動向はAI技術の進化とそのリスク管理の指針となる可能性がある。

(情報不足:具体的な攻撃がAnthropic自身のリポジトリに実際に適用された事例は明記されていない。)

抽出本文

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days , with further hardening through the spring; the fixes are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty. Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo's code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access. The trigger check had a hole. It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw "a bot" and let the attacker's content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn't, which left it open. From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then refined the prompt until Claude would "recover" by running the commands buried in it. The target is /proc/self/environ, the Linux file that holds a process's environment variables, secrets included. Claude Code blocks naive reads, but RyotaK bypasses the guard anyway and gets Claude to write the values back into the issue, where the attacker can grab them. The real prize in those variables is the credential pair GitHub Actions uses to request an OIDC token, a signed token that proves "I'm this workflow running in this repo." Claude Code trades that token with Anthropic's backend for a Claude GitHub App installation token with write access. Steal those credentials, replay the exchange, and you hold write access to the target's code, issues, and workflows. Aim it at the claude-code-action repo itself, and you could poison the action that downstream projects pull. RyotaK also flagged a softer route that skipped the bot trick entirely. Anthropic's own example issue-triage workflow shipped with allowed_non_write_users: "*", which lets anyone trigger it, a setting Anthropic's docs already flag as risky. Worse, Claude was posting task summaries to the workflow run's publicly visible summary panel, a ready-made way to leak data out. Plenty of repos copied that example and inherited the hole. There's also a path for an attacker who can edit issues but can't trigger Claude on their own: edit a trusted user's issue after it has fired the workflow, but before Claude reads it, and the payload rides in as "trusted" input. What to do? Update to claude-code-action v1.0.94 or later. Then audit any workflow that lets users without write access, or bots, trigger Claude: if it is taking untrusted input, don't feed it any secret beyond the Anthropic API key and GITHUB_TOKEN, and remove tools and permissions that can be used for exfiltration. None of this is theoretical. The same setup, an AI issue-triager plus broad permissions plus prompt injection, already caused a real supply-chain hit: In February, a prompt-injected issue title against Cline's claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorized cline@2.3.0 . The rogue version only force-installed a separate, non-malicious AI agent and was pulled about eight hours later, but the same chain could just as easily have shipped real malware to everyone who updated. The autonomous "HackerBot-Claw" bot then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others, though when it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. There's no public sign of this exact path, the one that poisons Anthropic's own action, was used against a live target; RyotaK proved it only in his own test repos, and he's careful to separate that from the variants above that did get exploited. RyotaK says he has now reported around 50 separate ways to bypass Claude Code's permission system and run commands, part of a steady run of prompt-injection flaws in AI coding agents . Prompt injection still isn't solved, and an agent with real tools and real tokens can be pushed as far as its permissions allow. Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Learn how to validate automated pentesting results for accurate security decisions.