Claude Code Vulnerability Might Let Attackers Steal Credentials From GitHub, Says Microsoft – Decrypt

In short
Microsoft researchers discovered that Anthropic's Claude Code GitHub Motion could possibly be manipulated by immediate injection assaults.
The assault relied on malicious directions hidden in GitHub points, pull requests, or feedback that the AI agent was requested to evaluation.
Anthropic patched the vulnerability in Could after Microsoft disclosed the problem by HackerOne.
Microsoft researchers disclosed a now-patched vulnerability in Anthropic's Claude Code GitHub Motion that might have allowed attackers to reveal credentials saved in software program improvement pipelines by manipulating the AI agent by malicious GitHub content material.In a weblog publish on Friday, Microsoft warned that AI coding brokers working inside CI/CD workflows might create new safety dangers as a result of these environments typically have entry to API keys, cloud credentials, and different delicate info.“We started this analysis after observing immediate injection makes an attempt in public repositories utilizing AI-assisted GitHub workflows throughout a number of distributors, the place attacker-controlled difficulty or [pull requests], content material is processed by the AI agent and will affect its software use,” Microsoft wrote.On GitHub, a pull request permits builders to suggest modifications to a code repository and have these modifications reviewed earlier than they're authorized and merged.The report comes as immediate injection assaults have emerged as one of many largest safety threats going through AI brokers. In a immediate injection assault, an attacker hides directions in content material similar to emails, paperwork, web sites, or code feedback, inflicting an AI system to comply with these directions as a substitute of the consumer's.Launched in October, Claude Code is Anthropic's AI coding agent for software program improvement duties. The software drew scrutiny in March after Anthropic unintentionally leaked greater than 500,000 traces of its supply code, exposing particulars of its inner structure and prompting widespread evaluation by researchers and builders.Based on Microsoft, attackers may use immediate injection assaults hidden in GitHub points, pull requests, or feedback to control Claude Code into accessing recordsdata containing delicate credentials.To check the vulnerability, Microsoft created a GitHub workflow and disguised malicious directions behind content material hosted on a website it managed, permitting the researchers to bypass Claude's security protections. The immediate injection assault tricked Claude into studying delicate credentials and altering them to evade each Claude's safeguards and GitHub's secret-scanning instruments. Microsoft mentioned an attacker may then reconstruct the credential and exfiltrate it by difficulty feedback, workflow logs, internet requests, or shell instructions.“To bypass Sonnet’s refusal security mechanisms, we obscured the shell payload behind a response from our managed area,” the agency mentioned. “We additionally enabled the workflow to be triggered by customers with no ‘write' permissions to make sure Anthropic’s surroundings variables scrub mitigations have been energetic throughout our exams.”Anthropic patched the flaw on Could 5 with Claude Code model 2.1.128 after Microsoft disclosed the vulnerability by HackerOne on April 29.Regardless of a number of layers of built-in safety controls, Microsoft discovered {that a} decided attacker may doubtlessly manipulate an AI agent into exposing delicate info.“We're getting into an period the place pure language is executable code, and untrusted inputs like GitHub points should be handled as hostile by default,” it mentioned. “A single, rigorously crafted remark mixed with a misunderstood belief boundary is all it takes to stroll away with manufacturing credentials.”Day by day Debrief NewsletterStart on daily basis with the highest information tales proper now, plus unique options, a podcast, movies and extra.