Back to Intelligence

Claude Code GitHub Action Vulnerability: Repository Hijacking Analysis and Hardening

SA
Security Arsenal Team
June 4, 2026
5 min read

A critical security weakness in Anthropic's claude-code GitHub Action has exposed a dangerous attack vector within the modern software supply chain. Discovered by security researcher RyotaK of GMO, this flaw allowed attackers to completely hijack public repositories with nothing more than a single opened GitHub Issue.

The vulnerability is particularly alarming due to its "poisoned well" potential. Because Anthropic's own repository utilized the vulnerable workflow, a successful exploit could have allowed an attacker to inject malicious code into the Action itself. This would automatically propagate the compromise to downstream projects that depend on it, creating a recursive supply chain attack. For SOC and DevSecOps teams, this highlights the fragility of relying on community Actions and the necessity of strict input validation within CI/CD pipelines.

Technical Analysis

Affected Component: Anthropic claude-code GitHub Action.

The Vulnerability: The Action was configured to trigger on issue_comment events. In this specific implementation, the workflow processed the content of user comments without sufficient sanitization or isolation. The Action likely passed the comment data directly to the underlying claude-code CLI tool or a shell environment.

Attack Chain:

  1. Initialization: An attacker identifies a repository using the vulnerable anthropics/claude-code Action.
  2. Trigger: The attacker opens a GitHub Issue and posts a comment containing a malicious payload (e.g., a shell command, exfiltration script, or a git command to push a new commit).
  3. Execution: The GitHub Action runner picks up the issue_comment event. The vulnerable code executes the attacker's input within the context of the repository.
  4. Compromise: The Action runs with the repository's GITHUB_TOKEN. If the token has write permissions (common in CI/CD workflows), the attacker can push malicious code to the source repository, steal secrets, or modify the repository settings.

Exploitation Status: Proof-of-concept (PoC) exploitation has been demonstrated by RyotaK. The researcher confirmed that the flaw could be used to gain repository control. Furthermore, the researcher verified that Anthropic's own repository was susceptible, creating a high-risk scenario for a self-replicating supply chain compromise prior to mitigation.

Detection & Response

Detecting this type of compromise requires monitoring the behavior of the GitHub Actions runner environments. While the vulnerability itself is a logic flaw in the YAML/Node.js configuration, the observable indicator is the execution of unauthorized commands (specifically git or shells) spawned by the runner process in response to webhooks.

SIGMA Rules

YAML
---
title: Suspicious Git Push by GitHub Action Runner
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects git push commands initiated by GitHub Action runners, which may indicate a compromised workflow pushing malicious code.
references:
 - https://securityarsenal.com/blog/claude-code-github-action-flaw
author: Security Arsenal
date: 2026/06/16
tags:
 - attack.execution
 - attack.t1059.004
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains: '/actions/'\   or '/runner/'
   Image|endswith:
     - '/git'
     - '/git-remote-http'
   CommandLine|contains: 'push'
 condition: selection
falsepositives:
  - Legitimate CI/CD deployment pipelines pushing code
level: high
---
title: Shell Execution via GitHub Action Triggered by Issue Events
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects shell processes spawned by GitHub Actions runners when environment variables indicate an issue_comment trigger, potential command injection.
references:
 - https://securityarsenal.com/blog/claude-code-github-action-flaw
author: Security Arsenal
date: 2026/06/16
tags:
 - attack.initial_access
 - attack.t1190
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains: '/actions/'
   Image|endswith:
     - '/bash'
     - '/sh'
     - '/node'
 filter_legit:
   CommandLine|contains:
     - 'npm '
     - 'yarn '
     - 'pytest '
 condition: selection and not filter_legit
falsepositives:
  - Authorized build scripts executing shell commands
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Git push commands spawned by GitHub Runner processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "Runner" or InitiatingProcessFolderPath has "actions"
| where FileName in ("git", "git.exe")
| where ProcessCommandLine has "push"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious child processes of GitHub Action Runners
SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Username
FROM pslist()
WHERE Parent.Name =~ "Runner" 
   OR Parent.Name =~ "node" 
   OR Exe =~ "github-runner"
   AND (Name =~ "git" OR Name =~ "bash" OR Name =~ "sh")

Remediation Script

Bash / Shell
#!/bin/bash
# Audit script to check for usage of Anthropic Claude Code Action in workflows
# Usage: ./audit_claude_action.sh /path/to/repo

REPO_PATH=${1:-.}
echo "[+] Scanning $REPO_PATH for Anthropic Claude Code GitHub Action usage..."

# Find all workflow yaml files
find "$REPO_PATH/.github/workflows" -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | while read -r file; do
    if grep -qi "anthropics/claude-code" "$file"; then
        echo "[!] FOUND VULNERABLE REFERENCE IN: $file"
        grep -n "anthropics/claude-code" "$file"
    fi
done

echo "[+] Audit complete."
echo "[!] Recommendation: Ensure the action is pinned to a specific, patched commit hash (e.g., uses@sha256:...) rather than a branch tag."

Remediation

To secure your repositories against this and similar CI/CD attacks, implement the following measures immediately:

  1. Update the Action: Anthropic has likely patched this flaw by removing the issue_comment trigger or sanitizing inputs. Verify you are using the latest version of the anthropics/claude-code action.

  2. Pin Action Versions: Never reference Actions using mutable tags like @main or @v1. Pin to a specific commit SHA (e.g., uses: anthropics/claude-code@abcd1234...) to ensure your pipeline does not automatically adopt a vulnerable version in the future.

  3. Least Privilege GITHUB_TOKEN: Review your workflow permissions. Ensure the contents: write permission is only granted to workflows that absolutely require it. Most workflows can run with contents: read.

  4. Disable Fork PRs: For high-risk repositories, disable workflow triggers from Fork Pull Requests to prevent external attackers from running code in your context.

  5. Workflow Audit: Use the provided script to audit your codebase for any remaining references to the Action in its vulnerable state.

Official Reference: Review the Anthropic GitHub repository security advisories for the specific patched commit hash.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemanthropicgithub-actionssupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action