{"id":264279,"date":"2026-06-04T11:15:00","date_gmt":"2026-06-04T15:15:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/04\/claude-code-github-action-flaw-let-one-malicious-issue-hijack-repositories\/"},"modified":"2026-06-04T15:20:08","modified_gmt":"2026-06-04T19:20:08","slug":"claude-code-github-action-flaw-let-one-malicious-issue-hijack-repositories","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/04\/claude-code-github-action-flaw-let-one-malicious-issue-hijack-repositories\/","title":{"rendered":"Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/claude-code-github-action-flaw-let-one.html\">Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/claude-code-github-action-flaw-let-one.html\">https:\/\/thehackernews.com\/2026\/06\/claude-code-github-action-flaw-let-one.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-04 11:15:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Swati Khandelwal<\/span>\ue802<span class=\"author\">Jun 04, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ AI Security<\/span><\/p>\n<p>A security researcher found a flaw in Anthropic&#8217;s Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic&#8217;s own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it.<\/p>\n<p>RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days, with further hardening through the spring; the fixes are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty.<\/p>\n<p>Claude Code GitHub Actions drops Claude into CI\/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo&#8217;s code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access.<\/p>\n<p>The trigger check had a hole. It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw &#8220;a bot&#8221; and let the attacker&#8217;s content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn&#8217;t, which left it open.<\/p>\n<p>From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then refined the prompt until Claude would &#8220;recover&#8221; by running the commands buried in it. The target is \/proc\/self\/environ, the Linux file that holds&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/claude-code-github-action-flaw-let-one.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories https:\/\/thehackernews.com\/2026\/06\/claude-code-github-action-flaw-let-one.html Publish Date: 2026-06-04&#8230;<\/p>\n","protected":false},"author":1,"featured_media":264280,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhiaBF9jAklPh1ncr_eVPGnV229BSTNgAjkScVm-yTXAn4IcBjjZoLIglasRdu1XEPafCxJhqVZrC3zkNWilyAhN-6Ox8z2HBRjNg2D4aqJsDiRDg02BgAy4zgwU2100ZLIO8yTOtarI0Vxa3AGUQk0GZq1_zKSFQOhNiNoyVsP2AldJZoW8ZJ1rY936ZI\/s1600\/claude-code-hack.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,27],"class_list":["post-264279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264279"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=264279"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264279\/revisions"}],"predecessor-version":[{"id":264281,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264279\/revisions\/264281"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/264280"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=264279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=264279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=264279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}