{"id":13449,"date":"2026-06-08T10:03:39","date_gmt":"2026-06-08T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/08\/microsoft-warns-claude-code-github-action-could-leak-ci-cd-workflow-secrets\/"},"modified":"2026-06-08T10:03:39","modified_gmt":"2026-06-08T10:03:39","slug":"microsoft-warns-claude-code-github-action-could-leak-ci-cd-workflow-secrets","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/08\/microsoft-warns-claude-code-github-action-could-leak-ci-cd-workflow-secrets\/","title":{"rendered":"Microsoft Warns Claude Code GitHub Action Could Leak CI\/CD Workflow Secrets"},"content":{"rendered":"<p>    Microsoft Warns Claude Code GitHub Action Could Leak CI\/CD Workflow Secrets<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">AI-powered coding tools are rapidly changing how developers build and ship software. But as these tools enter everyday development pipelines, they are also opening new doors for attackers. <\/p>\n<p class=\"wp-block-paragraph\">A recently uncovered vulnerability in a widely used AI coding assistant shows just how far that risk can go.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Researchers found that GitHub Actions workflows powered by AI can be manipulated through simple text inputs, such as issue comments or pull request descriptions. <\/p>\n<p class=\"wp-block-paragraph\">Since these inputs are read and acted on by an AI agent, a carefully crafted message can quietly redirect the agent to do things it was never supposed to do.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Microsoft Threat Intelligence identified the issue in Anthropic\u2019s Claude Code GitHub Action, noting that the AI agent could be tricked into reading sensitive environment files inside the CI\/CD runner. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/05\/securing-ci-cd-in-agentic-world-claude-code-github-action-case\/\" id=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/05\/securing-ci-cd-in-agentic-world-claude-code-github-action-case\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">The finding was shared by Microsoft in a\u00a0report<\/a>\u00a0shared with Cyber Security News (CSN).<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">At the heart of the problem is a gap in how <a href=\"https:\/\/cybersecuritynews.com\/netscaler-vulnerability-unauthorized-command-execution\/\" id=\"93395\" target=\"_blank\" rel=\"noreferrer noopener\">the tool handles file access versus command execution<\/a>. While the Bash tool ran inside a secure sandbox that stripped environment variables, the Read tool did not follow the same rules. <\/p>\n<p class=\"wp-block-paragraph\">That inconsistency gave attackers a direct path to credentials that were never meant to leave the system. <a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>The consequences could be serious for any team relying on automated AI workflows in their development pipeline. <\/p>\n<p class=\"wp-block-paragraph\">A leaked API key could let an attacker impersonate the workflow, consume resources, or gain deeper access into connected systems. The issue was responsibly disclosed to Anthropic, which released a fix in Claude Code version 2.1.128 on May 5, 2026.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-microsoft-warns-claude-code-github-action-could-leak\" class=\"wp-block-heading\"><strong>Microsoft Warns Claude Code GitHub Action Could Leak<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The vulnerability worked through what researchers call prompt injection. An attacker would place a hidden instruction inside a GitHub issue or pull request, written in a way that looks harmless to a human reviewer but is treated as a command by the AI model reading the raw text.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">In tests conducted by Microsoft\u2019s team, a malicious prompt instructed the agent to perform a \u201ccompliance review.\u201d The phrasing was deliberate. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWpwTNNfIpp445wXWMy9Drmxt0XB1bC1L6B6gk9CvNAkQ9_HL6b-Eg0AOiudjZErXCg4_MDKp-KWS644HITFFJPL6XfxB-8RE_jkCwa2ObkF_ar1a6dYP31gd9lOpKyXtIeiB7IPBv7gdQCP8KnSAJo4gM8shLyfni2-reMieQqtLJCs4gs2DBCXgoWOU\/s16000\/Attack%2520flow%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"Attack flow (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">Attack flow (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">It avoided triggering Claude\u2019s built-in safety filters, which block obvious requests to print API keys. By disguising the request and telling the model to trim the first seven characters of the result, the attacker bypassed both the AI\u2019s refusal layer and GitHub\u2019s Secret Scanner.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The Read tool, once manipulated, accessed\u00a0<code>\/proc\/self\/environ<\/code>\u00a0directly inside the runner\u2019s process memory. This returned the unscrubbed\u00a0<code>ANTHROPIC_API_KEY<\/code>\u00a0along with other credentials present in the environment. <\/p>\n<p class=\"wp-block-paragraph\">From there, the attacker could reconstruct the full key and <a href=\"https:\/\/cybersecuritynews.com\/secure-video-production-workflow-data-protection-guide\/\" id=\"143916\" target=\"_blank\" rel=\"noreferrer noopener\">exfiltrate it through channels the workflow allowed<\/a>, including web requests, issue comments, or action logs.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Microsoft noted the attack chain maps to several MITRE ATLAS techniques, including LLM Prompt Injection, AI Agent Tool Invocation, LLM Jailbreak, and <a href=\"https:\/\/cybersecuritynews.com\/hackers-deploy-modular-rat-with-credential-theft\/\" id=\"149519\" target=\"_blank\" rel=\"noreferrer noopener\">AI Agent Tool Credential Harvesting<\/a>. The full exploit required no special access, just the ability to open an issue or submit a pull request.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-hardening-ai-powered-ci-cd-workflows\" class=\"wp-block-heading\"><strong>Hardening AI-Powered CI\/CD Workflows<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Microsoft\u2019s team laid out practical steps for defenders. The most important principle they introduced is the \u201cAgents Rule of Two.\u201d <\/p>\n<p class=\"wp-block-paragraph\">An AI workflow should never combine all three of the following at the same time: processing untrusted input, accessing sensitive secrets, and taking external actions or modifying state.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Teams should apply strict least-privilege controls to every token and API key wired into a workflow. Each key should be scoped to only what that specific workflow needs, and usage should be monitored at the provider level for unusual activity. <\/p>\n<p class=\"wp-block-paragraph\">Alerts tied to new IP addresses or unexpected endpoint calls can give defenders early warning.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/01a00bac-7882-4183-a687-7aac149a149d\/Microsoft-Warns-Claude-Code-GitHub-Action-Could-Leak-CI-CD-Workflow-Secrets.pdf?AWSAccessKeyId=ASIA2F3EMEYERUBE7W6P&amp;Signature=gCKAz%2FxqFtDdTZ9syi7XbqG%2B8WI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHUy%2B7ya%2B5yj4YtVGSmzPFU0RKls4gyF15oy1C4aaeyFAiB3O5JFopz3b3c%2F3TmuUlteCsmMqdyBLr16pflmXO2q1Sr8BAit%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIM%2B6KRkQrQq3sqzsYnKtAEBBALVtr1uksqUJ2SodJ29xm20eo2lmEekIZRjoquMAQUkFrHxc3UVeg08z9aiKIP%2F7ZFgTz4irkscpcmPl%2Bn0aBRKPC7PzB%2FMae9RU9uSpxqNc0BEepZSbL1T0ych77HlABqK42Tf1Mj9%2FBXNsDb2xV57avOHvjFY5yjwuWTNord1gps0l6Thb96cSXfXlMGYqqQQ5nVhdyyraK3ueG%2BUBKDbNYF%2BJdE1NvnWN%2Fd0DlDzsPBrdnhE4sLfoD8IFNW3h5VjyPTlXV8n95MQXYm%2B48WDGZ5AY7245us4k8ycg%2BKuOemyL62MihCsAG6hdw6h8wWq%2BYvCliwjR%2BVMenVPOvp8aa7%2FAgZkHWobNMNHSFQcjfPspContby%2BF4a2gSTUUvwVp%2F4okm9fD5XpARsEUbOigSbARdiE9ULJOB3aeOWNjsjS5OBpyQsdMY9PvZWdiZCiofgvB95rJgtBhGKtGVujHJUhFrK9OXZ%2BuVxCxXbo%2Bg%2FiKL78ptLh6jMIgqSGfFsZxXHmuSaovik1zwIqYZOJ6WVs4lO70vNVsWoNfck8AARBODE%2BCkIQpgIgHrGSBZGSdq9B2nq0dsJII%2BsbLYnaeR4%2FOgToXW5Rrz9IJwHAQhjmR6Cfufwa0mytTHRlpnD2Gdw%2BAGCeLDsbhPACqw2EvXYdids2x67qCleaSs%2FP106DN7m7Bim8OI2JH1oOTO8FmoxI2QE5eEfXM3hzNF%2BZPItzMUpYQAgQNoUgM%2BwSjfj2nWLotHe8s%2BuWpLvlB%2Bi9P9sJmXRMwQXWwLKqDDDgpnRBjqZAWaQkPhKoCdNRq52dFeqrN5Kp2Y0lGx9OFDON6Qq8zaMvYChUyo86zdtETQ5sAJ7tpT8BtiHdC9GKruzpHYB4iSB9JuTqM%2FmJ5K5AlRhiXY6xy7PWzKtnIVV%2BBhttKEMpYCbdvyRTEkIYsUIW5zYa6TUn4fzLc2qMyg%2FrAPW19Lex%2Bmf%2F6fCVbW8OjyXdU19uVkZEVn8ENgIFQ%3D%3D&amp;Expires=1780895510\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">On the prompt level, <a href=\"https:\/\/cybersecuritynews.com\/researcher-jailbreaking-an-ais-system-prompt\/\" id=\"89617\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft recommends hardening the system prompt<\/a> so the agent clearly understands what counts as data versus what counts as an instruction. <\/p>\n<p class=\"wp-block-paragraph\">A well-written system prompt should name the surfaces the agent reads, such as issue bodies or pull request diffs, and make clear that all of that content is untrusted. <\/p>\n<p class=\"wp-block-paragraph\">Pinning the agent to a single, defined task reduces the chances it gets steered off course by a cleverly worded payload.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft-warns-claude-code-github-action\/\">Microsoft Warns Claude Code GitHub Action Could Leak CI\/CD Workflow Secrets<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft-warns-claude-code-github-action\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Warns Claude Code GitHub Action Could Leak CI\/CD Workflow Secrets AI-powered coding tools are rapidly changing how developers build and ship software. But as these tools enter everyday development pipelines, they are also opening new doors for attackers. A recently uncovered vulnerability in a widely used AI coding assistant shows just how far that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13449","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13449"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13449"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13449\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}