Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz

Mirai Malware Targets TP-Link Routers via CVE-2023-33538 – Active IOCs

April 20, 2026
Rewterz

1,370 SharePoint Servers Exposed to Spoofing Attacks

April 22, 2026

Claude, Gemini, and Copilot Hit by GitHub Prompt Injection

Severity

High

Analysis Summary

A newly identified cross-vendor attack class called “Comment and Control” demonstrates a dangerous evolution of prompt injection attacks targeting AI-powered development agents integrated into GitHub workflows. Unlike traditional prompt injection, this technique abuses GitHub’s native automation triggers, such as pull requests, issue creation, and issue comments, to inject malicious instructions directly into AI agents. Because these events automatically feed data into CI/CD pipelines, attackers can trigger AI execution simply by submitting crafted PR titles or issue content, without any user interaction. The attack mirrors the concept of Command and Control (C2) in malware operations, but operates entirely inside GitHub’s ecosystem, making detection significantly harder.

The research shows that three widely used AI coding systems, Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent, are all vulnerable to variations of this attack. In the case of Claude Code, the vulnerability stems from unsanitized PR titles being injected directly into the AI prompt, allowing attackers to break context and execute system-level commands that expose environment variables, including API keys and tokens. Similarly, Gemini CLI Action incorporates issue content into its prompt context, enabling attackers to manipulate “trusted sections” and trick the model into leaking sensitive credentials like the GEMINI_API_KEY through public issue comments.

The GitHub Copilot Agent case demonstrates the most advanced exploitation chain, bypassing multiple built-in defenses, including environment variable filtering, secret scanning, and network restrictions. Attackers were able to extract sensitive credentials by reading parent process memory space via system commands and bypassing the filtering logic that only protected child processes. They further evaded detection by encoding stolen data and exfiltrating it through legitimate Git operations, making the activity appear normal within CI/CD workflows. Additionally, hidden HTML comments inside issue bodies were used to conceal malicious payloads from human reviewers while remaining readable to the AI agent.

Collectively, all three vulnerabilities highlight a systemic architectural flaw: AI agents are being granted direct access to untrusted external inputs while simultaneously operating in environments that contain high-value secrets and powerful execution tools. This combination allows attackers to turn routine GitHub interactions into fully automated credential theft and command execution pipelines. Security researchers warn that this pattern is not limited to GitHub but extends to any AI system integrated into enterprise workflows, such as Slack bots, Jira automation, email assistants, and deployment pipelines, where untrusted content and sensitive execution privileges coexist in the same runtime.

Impact

  • Sensitive Data Theft
  • Security Bypass
  • Gain Access

Remediation

  • Strictly separate untrusted external input (GitHub issues, PRs, comments) from any AI agent prompt context, ensuring raw user-controlled content is never directly injected into system or instruction prompts.
  • Enforce prompt sanitization and normalization layers that strip or neutralize injection patterns (e.g., instruction-like phrases, role-switching attempts, or system prompt delimiters) before data reaches the AI model.
  • Apply least-privilege access control (Zero Trust model) for all AI agents so they never run with unrestricted access to environment variables, CI/CD secrets, or production tokens.
  • Remove direct access to sensitive credentials from AI runtime environments; instead use short-lived, scoped, and audit-logged tokens with minimal permissions.
  • Implement tool-use allowlisting, ensuring AI agents can only execute explicitly approved commands and cannot spawn arbitrary shell processes or access system-level utilities like /proc, env, or debugging tools.
  • Isolate AI agents in sandboxed execution environments (container or VM isolation) with no access to host-level environment variables or secret stores.
  • Add output filtering and secret detection layers to prevent accidental leakage of API keys, tokens, or sensitive data in logs, PR comments, commits, or issue responses.
  • Harden CI/CD triggers by requiring human review or approval gates before AI-generated actions (such as code changes, commits, or workflow execution) are applied.
  • Use content trust boundaries: clearly label and treat all GitHub PR/issue data as untrusted input, regardless of repository source or contributor status.
  • Monitor and log all AI agent actions with behavioral anomaly detection, flagging unusual patterns such as credential access attempts, unexpected command execution, or large data exfiltration.
  • Disable or restrict AI agents from processing hidden or non-rendered content (e.g., HTML comments) unless explicitly required and validated.
  • Regularly perform red-team testing and prompt injection audits against AI-integrated workflows to identify new injection vectors before attackers exploit them.