Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A security researcher found that Anthropic's Claude Code GitHub Action improperly trusted actors ending in "[bot]" and allowed agent-mode workflows to accept untrusted input, enabling prompt-injection attacks that exfiltrate environment secrets (notably the GitHub Actions OIDC credential). An attacker who replays those credentials can gain write access to repositories — including the action repo itself — creating a supply-chain risk; Anthropic patched the flaw in claude-code-action v1.0.94 and paid a bounty, and similar chains have already led to real token thefts.