A newly identified security threat known as ‘Comment and Control’ has uncovered a significant vulnerability across multiple AI coding agents operating within GitHub. This threat exploits GitHub’s pull request titles, issue bodies, and comments to execute prompt injections, allowing attackers to capture sensitive API keys and tokens within CI/CD environments.
Understanding the Vulnerability
The ‘Comment and Control’ attack is named after the traditional Command and Control framework utilized in malware operations. It affects three major AI agents: Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent. These agents were found susceptible to this vulnerability, leading to potential data breaches.
Security researcher Aonan Guan highlighted that the entire attack procedure occurs within GitHub. By crafting malicious pull request titles or issue comments, attackers can manipulate AI agents to follow harmful instructions, ultimately leading to credential leaks via GitHub’s own communication channels, such as comments or commits.
Mechanics of the Attack
Contrasting with older prompt injection methods that require user interaction, ‘Comment and Control’ operates proactively. GitHub Actions workflows trigger automatically upon pull request or issue events, meaning that simply opening a pull request or submitting an issue can activate these agents without any direct engagement from the victim.
For instance, in Anthropic’s Claude Code Security Review, the pull request title is directly integrated into the AI’s prompt with no sanitization. This oversight allows attackers to execute commands and exfiltrate credentials like ANTHROPIC_API_KEY and GITHUB_TOKEN, as confirmed by Anthropic with a critical CVSS rating of 9.4.
Case Studies and Mitigations
Google’s Gemini CLI Action also suffers from this vulnerability, where malicious inputs can override the agent’s safety instructions and expose the GEMINI_API_KEY publicly. This flaw, reported by Neil Fendley and colleagues, earned a $1,337 bounty from Google.
In the case of GitHub Copilot, the attack bypassed multiple security layers, such as environment variable filtering and network firewalls. Despite initial dismissal as a known issue, GitHub recognized the severity following proof of concept and awarded a $500 bounty.
Experts recommend employing allowlist tools, minimizing secret privileges, implementing human approval for critical actions, and conducting thorough audits of AI integrations in CI/CD pipelines to mitigate these risks.
As this vulnerability demonstrates, AI agents processing untrusted data with tool and secret access are at risk, extending beyond GitHub Actions to include AI agents in platforms like Slack and Jira.
For ongoing updates in cybersecurity, follow us on Google News, LinkedIn, and X. If you have a story to share, reach out to us.
