Skills
Comment and Control: Cross-Vendor Prompt Injection Hijacks Claude Code, Gemini CLI, and Copilot Agent via GitHub Comments — Exfiltrates Credentials Without External Server
Security researcher Aonan Guan and Johns Hopkins collaborators demonstrated 'Comment and Control,' a prompt injection class where malicious GitHub PR titles and issue comments hijack AI coding agents into exfiltrating API keys and tokens. All three major agents (Claude Code, Gemini CLI, Copilot Agent) were confirmed vulnerable; attacks are proactive (auto-triggered by GitHub Actions events) and require no victim interaction. Anthropic classified it CVSS 9.4 ($100 bounty), Google paid $1,337, GitHub paid $500 — but all vendors acknowledge the root cause is architectural, not patchable.
Source
↳ Follow the thread