A critical cross-vendor vulnerability class dubbed\u00a0\u201cComment and Control\u201d\u00a0is a new category of prompt injection attacks that weaponizes GitHub pull request titles, issue bodies, and issue comments to hijack AI coding agents and steal API keys and access tokens directly from CI\/CD environments.<\/a><\/p>\n The attack name is a deliberate play on the classic Command and Control (C2) framework<\/a> used in malware campaigns. Three widely deployed AI agents, Anthropic\u2019s Claude Code Security Review, Google\u2019s Gemini CLI Action, and GitHub Copilot Agent (SWE Agent), were confirmed vulnerable.<\/p>\n According to researcher Aonan Guan, the entire attack loop runs within GitHub itself: an attacker writes a malicious PR title or issue comment, the AI agent reads and processes it as trusted context, executes attacker-supplied instructions, and exfiltrates credentials back through a PR comment, issue comment, or git commit, no external server required.<\/p>\n Unlike classic indirect prompt injection<\/a>, which is reactive and requires a victim to explicitly ask the AI to process a document, Comment and Control is\u00a0proactive: GitHub Actions workflows auto-trigger on\u00a0 In Anthropic\u2019s Claude Code Security Review action, the PR title is directly interpolated into the agent\u2019s prompt with zero sanitization. Because the Claude CLI is invoked without\u00a0 An attacker simply opens a PR with a malicious title that breaks out of the prompt context and instructs Claude to execute\u00a0 Google\u2019s Gemini CLI Action includes issue titles, bodies, and comments in the agent\u2019s prompt context under an \u201cAdditional Content\u201d section. By injecting a fake \u201cTrusted Content Section\u201d immediately after it, an attacker overrides Gemini\u2019s safety instructions, causing Gemini to post the\u00a0 Reported to Google VRP (#1609699) by researcher Neil Fendley alongside Johns Hopkins University collaborators, the vulnerability earned a\u00a0$1,337 bounty.<\/a><\/p>\n The GitHub Copilot Agent finding is the most technically sophisticated. GitHub had implemented three runtime-level mitigations\u00a0environment variable filtering,\u00a0secret scanning, and\u00a0network firewall\u00a0\u2014 all of which were bypassed:<\/a><\/p>\n Adding another layer of stealth, the attack payload is hidden inside an\u00a0HTML comment\u00a0in the issue body, invisible in GitHub\u2019s rendered Markdown view but fully parsed by the AI agent.<\/p>\n A victim sees only an innocent visible request and unknowingly assigns the issue to Copilot. The bug was reported via HackerOne (#3544297), initially dismissed as a \u201cknown issue\u201d but reopened after the researcher submitted reverse-engineered source code proof from Copilot\u2019s minified\u00a0![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhqZ7gIQshsK70N-UVd9PPPU_KmT3ThSP1dyvgLrdD7b7I0hoPaVz9MJnzs_TERKSqPrr2N6uMu1T1DCMNjyg3oSuy9-K8Fq8itHoP10PLHVY-A9M61dPQiVzFpYbpEFHDLFpmrOReLkQimtvPxEp6OPIL4adoHUr8mPvGUQTfgAK_O80rMn4Ldg6SUxU44\/s16000\/Attack%2520Pattern.webp?ssl=1\")
pull_request<\/code>,\u00a0issues<\/code>, and\u00a0issue_comment<\/code>\u00a0events, meaning simply opening a PR or filing an issue can activate the agent without any victim interaction.<\/a><\/p>\nFinding 1: Claude Code Security Review \u2014 PR Title to RCE<\/strong><\/h2>\n
--disallowed-tools<\/code>\u00a0or\u00a0--allowed-tools<\/code>\u00a0restrictions, the subprocess inherits all environment variables including\u00a0ANTHROPIC_API_KEY<\/code>\u00a0and\u00a0GITHUB_TOKEN<\/code>.<\/p>\nwhoami<\/code>,\u00a0ps auxeww<\/code>, or\u00a0env<\/code>\u00a0\u2014 returning the full credential dump as a JSON \u201csecurity finding\u201d posted to the PR comment. Rated\u00a0CVSS 9.4 Critical\u00a0by Anthropic (upgraded from 9.3), the bug was reported via HackerOne (#3387969) and awarded a\u00a0$100 bounty.<\/a><\/p>\nFinding 2: Gemini CLI Action \u2014 Issue Comment to API Key Leak<\/strong><\/h2>\n
GEMINI_API_KEY<\/code>\u00a0as a public issue comment, visible to anyone.<\/p>\nFinding 3: Copilot Agent \u2014 Three-Layer Defense Bypass<\/strong><\/h2>\n
\n
UU()<\/code>\u00a0function filters sensitive variables only from the child bash subprocess. Running\u00a0ps auxeww<\/code>\u00a0from that subprocess reads\u00a0\/proc\/[pid]\/environ<\/code>\u00a0of the unfiltered parent Node.js process and MCP server, recovering\u00a0GITHUB_TOKEN<\/code>,\u00a0GITHUB_COPILOT_API_TOKEN<\/code>, and two additional credentials.<\/a>\n<\/li>\nghs_<\/code>\/ghu_<\/code>\u00a0token prefixes. Base64-encoding the output before committing evades all pattern matching.<\/a>\n<\/li>\ngit push<\/code>\u00a0to a PR \u2014 a whitelisted operation \u2014 making it indistinguishable from normal Copilot workflow activity.<\/a>\n<\/li>\n<\/ul>\nindex.js<\/code>. GitHub ultimately awarded a\u00a0$500 bounty.<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgvMZWgOgsEO-s0_Gq7iCxqLqPOjC5FfN4CoHq6HKrzoizy3Ujd7b9bNOTmf9rAytqWWyQGLifmFULfWKeejgZ6hkNqyw_k7Pr685W9BIbHteISsu3V5jlcqgjRznjQ_EhoW1DfmTwNT7WsQCykKxBtkP_r-_3HVz36QlQn38hYRzNWjMJ5-Hsz1hUUSW7e\/s16000\/claude-code-api-key-leak.webp?ssl=1\")
<\/figure>\n