Comment and Control: Prompt Injection to Credential Theft in Claude Code, Gemini CLI, and GitHub Copilot Agent
By Aonan Guan, with Johns Hopkins University’s Zhengyu Liu and Gavin Zhong Update — 2026-05-04. I reported this on 2025-10-17; Anthropic accepted it at Critical (CVSS 9.3), upgraded it to Critical (CVSS 9.4) on 2025-11-25, and changed it to None on 2026-04-20. Three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking the host repository’s API keys and access tokens — using GitHub itself as the command-and-control channel. ...