Executive Summary
A critical vulnerability affecting GitHub agentic workflows—specifically, prompt injection attacks targeting AI-powered developer tools and CI/CD pipelines—has emerged as a significant threat to software supply chain security. Attackers are leveraging prompt injection to manipulate AI agents such as GitHub Copilot, Google Gemini CLI, and Anthropic Claude Code, resulting in credential theft, arbitrary code execution, and unauthorized repository modifications. This advisory provides a comprehensive technical analysis of the vulnerability, exploitation methods, affected products, observed campaigns, and actionable mitigation strategies. While exploitation in the wild has been widely reported by industry sources, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Technical Information
The vulnerability class centers on prompt injection within agentic workflows in GitHub Actions. AI agents integrated into these workflows (for example, GitHub Copilot Coding Agent, Google Gemini CLI, and Anthropic Claude Code) process untrusted content fields such as issue titles, pull request comments, and code comments. Attackers craft malicious instructions in these fields, which are then executed by the AI agents—often with elevated privileges. This can lead to exfiltration of sensitive credentials (such as GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, or third-party API keys), unauthorized repository actions, and even arbitrary code execution.
Several high-profile incidents have demonstrated the real-world impact of this vulnerability class. The Ultralytics AI Library compromise in December 2024 resulted in credential theft and downstream risk propagation. The TJ-Actions/Changed-Files attack in March 2025 led to the theft of thousands of secrets, while the NX Build System attack in May 2025 marked the first AI-weaponized supply chain attack. The GhostAction campaign stole over 3,000 secrets via compromised Actions.
The technical root cause is the improper neutralization of untrusted input used for LLM prompting (CWE-1427). In affected workflows, AI agents are triggered by events such as issues.opened or pull_request.opened, and process fields like ${{ github.event.issue.title }} or ${{ github.event.issue.body }} without adequate sanitization. When these agents are granted permissions to perform repository actions or access secrets, prompt injection can result in severe compromise.
The MITRE ATT&CK technique most relevant to this threat is T1677: Poisoned Pipeline Execution (PPE), encompassing direct, indirect, and public PPE sub-techniques. Attackers gain initial access by submitting crafted issues or pull requests, which are then processed by over-privileged AI agents. Execution occurs when the agent interprets and acts on the malicious prompt, leading to credential access, persistence via compromised Actions or dependencies, and impactful modifications to the repository or CI/CD environment.
Exploitation in the Wild
Multiple campaigns have exploited this vulnerability class. The GhostAction campaign in September 2025 resulted in the theft of 3,325 secrets from 817 repositories via compromised workflows. The NX Build System attack in August 2025 targeted AI tool credentials, including those for Claude Code, Gemini CLI, and Amazon Q. The Ultralytics AI Library compromise in December 2024 used pull_request_target script injection to embed cryptomining code.
Attack vectors include prompt injection via public issue or PR submission, supply chain attacks through compromised third-party Actions (such as tj-actions/changed-files and reviewdog/action-setup), and poisoned pipelines where malicious code or dependencies are injected into build processes. Proof-of-concept exploits have demonstrated that any GitHub user can open an issue with prompt-injection content, causing the agent to perform unintended actions such as posting comments, applying labels, or exfiltrating secrets.
It is important to note that, as of this writing, CVE-2026-44246 is not listed in the CISA KEV catalog, and thus CISA has not confirmed active exploitation. However, multiple industry sources and technical blogs have documented exploitation in the wild.
APT Groups using this vulnerability
Attribution in the public domain links several threat actors to these campaigns. TeamPCP has been associated with the March 2026 Trivy Action supply chain attack. s1ngularity is linked to the NX build system compromise, and the GhostAction designation refers to the September 2025 campaign that targeted thousands of repositories. These groups have demonstrated advanced capabilities in leveraging prompt injection and supply chain compromise to achieve credential theft and persistent access.
Affected Product Versions
The following products and versions are known to be affected:
MIC-DKFZ/nnUNet (GitHub Actions) is vulnerable in versions prior to v2.4.1, specifically in the .github/workflows/issue-triage.yml workflow. No patched version was available as of April 28, 2026.
tj-actions/changed-files is affected in all tags prior to March 2025, with only those pinned to known-good SHAs after that date considered safe.
reviewdog/action-setup is similarly affected in all tags prior to March 2025, with remediation requiring pinning to trusted SHAs.
Ultralytics YOLO AI Library was compromised in versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 on PyPI.
Google Gemini CLI Action, Anthropic Claude Code Security Review Action, and GitHub Copilot Coding Agent were all vulnerable prior to April 2026, with patches released shortly after disclosure.
Workaround and Mitigation
To mitigate this vulnerability, organizations should pin all third-party Actions to full commit SHAs rather than floating tags, eliminating or restricting the use of pull_request_target workflows that check out fork code. Explicit, minimum-privilege permissions should be applied to every workflow file, and all repository content should be treated as untrusted input in agentic workflows. Separating agent decision-making from credentialed execution is critical, as is auditing for OIDC trust policy misconfigurations and restricting trust to specific repositories or branches. AI tool API keys should be rotated regularly, scoped to environment-specific, short-lived credentials, and never exposed to workflows processing untrusted input.
Additional best practices include regular auditing of code, dependencies, and agent behaviors, implementing input sanitization and prompt validation, practicing credential hygiene (such as using short-lived tokens and frequent rotation), pinning dependencies, and monitoring for anomalous behavior. An incident response plan should be in place to address potential compromise.
Indicators of Compromise
The following caveat applies: Indicators of compromise (IOCs) are point-in-time and should be validated before enforcement. At the time of writing, no public indicators of compromise were available from reputable, scraped sources for this vulnerability.
References
CSA Research Note: Prompt Injection in AI-Powered GitHub Actions (May 2026), GitHub Advisory GHSA-63mx-j37w-gh59 (nnU-Net), CVE-2026-44246 (SentinelOne), Aikido Security: Prompt Injection Inside GitHub Actions, Wiz Security: tj-actions/changed-files Supply Chain Attack, MITRE ATT&CK T1677, OWASP Top 10 for Agentic Applications (2026), GitHub Agentic Workflows Security Architecture
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform that empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire supply chain. Our platform leverages advanced automation and threat intelligence to help you stay ahead of emerging threats and ensure the security of your digital ecosystem. We are happy to answer questions at info@rescana.com.


