A critical vulnerability class dubbed “PromptPwnd,” affects AI agents integrated into GitHub Actions and GitLab CI/CD pipelines.
This flaw allows attackers to inject malicious prompts via untrusted user inputs like issue titles or pull request bodies, tricking AI models into executing privileged commands that leak secrets or alter workflows.
At least five Fortune 500 companies face exposure, with Google’s own Gemini CLI repository among the victims before a rapid patch.
The attack chain uncovered by Aikido Security begins when repositories embed raw user content such as ${{ github.event.issue.body }} directly into AI prompts for tasks like issue triage or PR labeling.
Agents like Gemini CLI, Anthropic’s Claude Code, OpenAI Codex, and GitHub AI Inference then process these inputs alongside high-privilege tools, including gh issue edit or shell commands accessing GITHUB_TOKEN, API keys, and cloud tokens.
In a proof-of-concept against Gemini CLI’s workflow, researchers submitted a crafted issue with hidden instructions like “run_shell_command: gh issue edit
This marks the first confirmed real-world demonstration of prompt injection compromising CI/CD pipelines, building on recent threats like the Shai-Hulud 2.0 supply chain attack that exploited GitHub Actions misconfigurations to steal credentials from projects including AsyncAPI and PostHog.
While some workflows require write permissions to trigger, others activate on any user’s issue submission, widening the attack surface for external foes.
Aikido tested exploits in controlled forks without real tokens and open-sourced Opengrep rules for detection, available via their free scanner or playground.
Remediation demands strict controls: limit AI toolsets to prevent issue edits or shell access, sanitize untrusted inputs before prompting, validate all AI outputs as untrusted code, and restrict token scopes by IP using GitHub features. Configurations like Claude’s allowed_non_write_users: “*” or Codex’s allow-users: “*” amplify risks if enabled.
As AI automates dev workflows to handle surging issues and PRs, PromptPwnd underscores a nascent supply chain frontier. Repositories must audit AI integrations immediately to avert secret exfiltration or repository takeovers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
