Anthropic, Google, Microsoft Pay AI Bug Bounties, Including Gemini, in Quiet Move

The researchers discovered that the three agents share an identical data‑flow architecture: each GitHub Action pulls raw repository metadata—pull‑request titles, issue bodies, and comments—feeds it into the LLM, and then lets the model generate a JSON‑formatted response that GitHub posts back as a bot comment. By embedding a malicious instruction in the pull‑request title, the team was able to coerce the model into executing arbitrary shell commands on the runner that hosts the action. In the first demonstration, a “whoami” command was injected, and Claude returned the system user name inside its security‑finding payload, proving that the agent was executing code it received from untrusted text (The Register).

Anthropic’s Claude Code Security Review was the initial target. After reporting the vulnerability on HackerOne in October, Anthropic asked the researchers to expand the proof‑of‑concept to exfiltrate secrets. The team succeeded by crafting a title that instructed Claude to read the GitHub access token and Anthropic API key from the runner’s environment, then echo those values into the bot’s comment. Because the comment is visible to anyone with repository read access, the credentials could be harvested silently. The researchers noted that the malicious payload can be swapped back to a benign title after the leak, and the bot comment can be deleted, leaving little forensic trace (The Register).

Google’s Gemini CLI Action exhibited the same flaw. The Gemini agent also parses PR metadata as part of its task context, so a crafted title can trigger the same command‑injection chain. When the researchers submitted a Gemini‑specific payload, the action executed the same “whoami” and credential‑leak commands, confirming that the vulnerability is not tied to a single model but to the way GitHub Actions expose unfiltered text to the LLM. Google did not assign a CVE or publish an advisory, and the bug bounty awarded by the company was described only as “beer money” (The Register).

Microsoft’s GitHub Copilot Action was the third confirmed instance. Copilot’s Action similarly reads PR titles and comments, then runs the model to produce a review comment. By injecting a payload into the title, the researchers forced Copilot to invoke the Bash tool on the runner, retrieve the GitHub token, and embed it in the JSON response. As with the other agents, the token appeared in the public comment, enabling an attacker to clone the repository or push further malicious changes. Microsoft also refrained from issuing a public advisory or CVE, despite paying a bounty for the disclosure (The Register).

The broader implication, according to Johns Hopkins researcher Aonan Guan, is that any GitHub Action that incorporates LLM‑driven automation and has access to repository secrets is potentially exploitable via this prompt‑injection pattern. He warned that “some of the users are pinned to a vulnerable version,” and that without vendor‑issued advisories, many teams may remain unaware of the risk (The Register). The attack surface extends to Slack bots, Jira agents, email automation, and deployment pipelines that similarly ingest untrusted text. Until the major providers publish security notices and patch the data‑handling logic, organizations that rely on AI‑enhanced GitHub Actions should treat the integration as untrusted code and enforce strict secret‑masking and input sanitisation.