Poisoning Claude Code One GitHub Issue to Break the Supply C...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/
• Blog Title: Poisoning Claude Code: One GitHub Issue to Break the Supply Chain
• Suggested Section: Pentesting CI/CD > Github Security > Abusing Github Actions; potentially a new subsection for LLM/AI Agent GitHub Actions prompt injection and token exfiltration

🎯 Content Summary

Post: Poisoning Claude Code: One GitHub Issue to Break the Supply Chain, published on June 1, 2026 by RyotaK / GMO Flatt Security. The post describes a high-impact vulnerability and related misconfigurations in Claude Code GitHub Actions, fixed by Anthropic as of Claude Code GitHub Actions v1.0.94. No CVE is mentioned. Anthropic rated the issues CVSS v4.0 7.8 and awarded a bug bounty of $3,80...

🔧 Technical Details

GitHub App actor permission bypass: A CI authorization check that treats any actor ending in [bot] as trusted can be bypassed with a malicious GitHub App. GitHub Apps can create issues or pull requests in public repositories using an installation token even when not installed on the target repository. If the workflow only checks the actor string or assumes every GitHub App is trusted, an attacker can create a GitHub App, install it on their own repository, use its token to open attacker-controlled content in the victim repository, and pass the workflow authorization gate.

Indirect prompt injection through issue, PR, and comment content: LLM-based CI agents that fetch GitHub issues, PRs, comments, or reviews must treat that text as hostile. An attacker can include instructions disguised as errors, tool outputs, recovery steps, or operational guidance. When the agent retrieves the content using tools such as mcp__github__get_i...

🤖 Agent Actions

Using repo inspection to choose the best existing page before editing.
Done.

Updated:

• src/pentesting-ci-cd/github-security/abusing-github-actions/README.md

Added concise coverage for:

• Claude Code *[bot] trust bypass via malicious GitHub Apps
• Indirect prompt injection through MCP/tool-fetched issue or PR content
• Secret exfiltration from env/process context and workflow summaries
• OIDC replay using ACTIONS_ID_TOKEN_REQUEST_URL + ACTIONS_ID_TOKEN_REQUEST_TOKEN
• Low-privilege triage → trusted workflow chaining
• gh issue view URL-argument exfiltration risk
• Hardening guidance and blog reference

Validation:

• Basic content checks passed
• mdbook build could not run here because mdbook is not installed (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/

Content Categories: Based on the analysis, this content was categorized under "Pentesting CI/CD > Github Security > Abusing Github Actions; potentially a new subsection for LLM/AI Agent GitHub Actions prompt injection and token exfiltration".

Repository Maintenance:

• MD Files Formatting: 585 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0