Agents
Comment and Control: Claude Code, Gemini CLI, and Copilot All Exploited via GitHub PR Comments
Johns Hopkins researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong disclosed 'Comment and Control' — a prompt injection technique exploiting how AI agents in GitHub Actions process untrusted PR titles, issue comments, and HTML-hidden payloads. Claude Code leaked credentials via crafted PR titles (Anthropic: critical, $100 bounty), Gemini CLI exposed API keys via issue comment injection (Google: $1,337), and Copilot was hijacked via HTML comments invisible in rendered Markdown (GitHub: $500, classified as 'known architectural limitation'). The root cause is architectural: agents receive powerful tools and production secrets in the same runtime that processes untrusted input.
Source
↳ Follow the thread