A major security vulnerability recently put Google’s official Gemini-cli repository and its associated GitHub Actions at risk of a total takeover. Researchers at the firm Pillar Security found a way to compromise the repository, a popular project with over 101,000 stars on GitHub. Researchers claim that a threat actor could have used the flaw to launch a full supply chain compromise.
The vulnerability was so severe that it earned a CVSS 10 rating. According to Pillar Security, the issue was not with the AI model itself but the way the system was built. The team, led by Dan Lisichkin, found that a hacker could gain control of the repository by simply opening a public Issue on GitHub.
How the Trust Issues Exploit Worked
The investigation began when automated scanners identified a vulnerability in Google’s Google/draco repository caused by Gemini running in –yolo mode, a dangerous setting that enables the gemini-cli agent to auto-approve shell commands and tool calls without human confirmation.
This allowed for an attack method the team called TrustIssues, which involved using a technique called prompt injection. Because Gemini was set to automatically read and label incoming GitHub issues while in –yolo mode, a cyberattacker could hide secret commands inside the text of an issue. When Gemini read the message, it would stop its normal job and execute the attacker’s hidden shell commands instead.
The Lethal Trifecta
Further investigation revealed a lethal trifecta that made the attack possible. For your information, a lethal trifecta is a situation where a tool can access private data, read untrusted content from the public, and communicate with external servers.
So, what happened here is that Gemini had access to private data, it was allowed to read text from the public, and it could send data to external servers. Researchers noted that even though Google tried to keep GitHub tokens away from the AI agent, those keys were still saved on the computer’s disk. Specifically, a tool called actions/checkout saved these credentials in a file named .git/config. Gemini was tricked into reading this file and sending the keys to the hacker.
The Road to a Fix
In a proof-of-concept, researchers demonstrated the entire attack chain, showing how a threat actor could perform a privilege escalation after stealing the initial keys. By using the stolen data to trigger other tasks like smoke-test.yml, the attacker eventually gained contents: write permissions. This would empower them to change the actual code in the gemini-cli repository.
Following the initial report by Pillar Security on 16 April 2026 involving the Google/draco repository, the team demonstrated this full attack on gemini-cli on 20 April, leading Google to release security advisory GHSA-wpqr-6v78-jr5g and software patches by 24 April 2026.
The flaw is now patched in Gemini CLI (version 0.39.1) and run-gemini-cli (version 0.1.22). These new versions limit what commands the AI agent can run, even in –yolo mode.
“Preventing this class of attack requires treating AI agents as privileged code execution, not just assistants,” researchers concluded, suggesting that developers should set persist-credentials: false in their GitHub settings to keep their GitHub tokens off the disk.
