Comment and Control: Prompt Injection Turns GitHub Comments into Credential Theft

April 21, 2026 Faeem BLOGS 0

Overview Researchers have disclosed a critical cross‑vendor vulnerability class dubbed “Comment and Control”, which weaponizes GitHub pull request titles, issue bodies, and comments to hijack AI coding agents. The flaw impacts Claude Code Security Review (Anthropic), Gemini CLI Action (Google), and GitHub Copilot Agent, enabling attackers to steal API keys and tokens directly from CI/CD environments.

Key Highlights

  • Attack Vector: Malicious PR titles or issue comments injected into GitHub workflows.
  • Impact: AI agents process untrusted input as trusted context, execute attacker instructions, and exfiltrate secrets.
  • Affected Vendors:
    • Claude Code: PR title injection → credential dump via PR comment.
    • Gemini CLI: Issue comment injection → API key leak via public issue comment.
    • Copilot Agent: HTML comment injection → bypassed three runtime defenses, exfiltrated secrets via git commit.
  • Severity: Rated CVSS 9.4 Critical in some cases.

Attack Pattern

  • Proactive Trigger: Unlike traditional prompt injection, attacks auto‑trigger via GitHub Actions events (pull_request, issues, issue_comment).
  • Exfiltration Channels: PR comments, issue comments, or git commits — no external server required.
  • Credential Exposure: Tokens like ANTHROPIC_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN, and COPILOT_API_TOKEN leaked.

Risks to Enterprises

  • CI/CD Pipeline Compromise: Secrets exposed directly in developer workflows.
  • Cross‑Vendor Vulnerability: Same injection pattern defeated multiple AI agents.
  • Extended Attack Surface: Pattern applies to other AI agents in Slack, Jira, email, and deployment automation.
  • Stealth: Payloads hidden in HTML comments, invisible in rendered GitHub views.

Mitigation Guidance

  • Tool Allowlisting: Use --allowed-tools to restrict AI agent capabilities.
  • Least Privilege Secrets: Assign minimal scopes; avoid giving write tokens to read‑only agents.
  • Human Approval Gates: Require manual review before agents perform outbound actions.
  • Audit Integrations: Review all AI agent workflows in CI/CD pipelines.
  • Monitor Logs: Watch for anomalous credential access patterns in GitHub Actions.

Final Thought

The Comment and Control vulnerability class is a wake‑up call: prompt injection is no longer confined to user queries — it can weaponize developer collaboration platforms themselves. By exploiting GitHub comments and PR titles, attackers bypass traditional defenses and directly compromise CI/CD secrets. Enterprises must urgently rethink AI agent integrations, enforcing strict tool allowlists, least‑privilege access, and human oversight to prevent credential theft at scale.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.