#githubvulnerability

Microsoft Threat Intelligence has warned that vulnerabilities in Anthropic's Claude Code, an AI-powered coding assistant, could allow attackers to steal credentials from GitHub, Microsoft 365, and Azure environments. The disclosure highlights a growing class of supply-chain risks where AI agents, designed to accelerate development, inadvertently become vectors for credential exfiltration.

The Attack Vector: AI Agents in the CI/CD Pipeline

The core vulnerability lies in how Claude Code integrates with GitHub Actions and CI/CD workflows. Microsoft discovered that when the Claude Code GitHub Action processes untrusted content—such as issue bodies or pull request descriptions—it can expose secrets embedded in the workflow environment. Specifically, the ANTHROPIC_API_KEY and other sensitive credentials were at risk of exfiltration when the AI agent parsed maliciously crafted inputs.

This flaw underscores a critical paradox in agentic AI: to be useful, the agent needs access to sensitive tools and tokens; but granting that access creates a high-value target for attackers who can manipulate the agent's input.

Historical Context: A Pattern of Vulnerabilities

This is not an isolated incident. In February 2026, researchers disclosed multiple flaws in Claude Code, including:

- CVE-2026-21852: An information disclosure bug allowing malicious repositories to exfiltrate API keys simply by having a user open them before a trust prompt appeared - CVE-2026-24887: A command injection flaw enabling attackers to bypass confirmation prompts and execute untrusted commands directly - npm Package Manipulation: In June 2026, researchers demonstrated how malicious npm packages could rewrite the ~/.claude.json configuration file, redirecting authenticated requests to attacker infrastructure and intercepting OAuth tokens for Jira, Confluence, and GitHub

The Broader Threat: Poisoned Developer Tools

The Claude Code vulnerabilities are part of a larger trend targeting the software supply chain. In May 2026, a malicious VS Code extension known as "Nx Console" (attributed to threat group TeamPCP) compromised a GitHub employee's device, leading to the cloning of approximately 3,800 internal repositories. While customer data was not breached, the attack harvested production database access, CI/CD tokens, SSH keys, and cloud API keys.

Similarly, fake Claude Code packages have been observed stealing developer credentials for Microsoft 365 and Azure by targeting browser cookies, cached sessions, and federated sign-in tokens. These incidents confirm that developer environments are now primary battlegrounds for credential theft.

Mitigation Strategies for Development Teams

Organizations leveraging AI coding assistants must adopt new security postures:

- Isolate AI Agents: Run AI tools in sandboxed environments with minimal permissions. Never grant agents direct access to production secrets or long-lived bearer tokens - Sanitize Inputs: Treat all inputs to AI agents—especially from external sources like GitHub issues—as untrusted. Implement strict validation before passing data to agentic workflows - Rotate Credentials Aggressively: Given the risk of token interception, rotate API keys and OAuth tokens frequently. Use short-lived credentials wherever possible - Monitor Configuration Files: Watch for unauthorized changes to critical configuration files like ~/.claude.json, which can redirect traffic to attacker infrastructure - Update Immediately: Anthropic has released patches (e.g., version 2.1.128) to mitigate known GitHub Action exposures. Delayed patching leaves teams vulnerable to automated scanning and exploitation

The Bottom Line