AI Agents Read the Comments, Then Spill Secrets

Key Takeaways

• Researchers demonstrated a cross-vendor prompt injection pattern against multiple AI coding agents.
• The attack uses GitHub comments, PR titles, and issue bodies as untrusted instruction channels.
• Sensitive tokens and workflow secrets could be exposed through agent outputs, logs, or comments.
• The incident highlights growing AI supply chain risk in agent-driven development pipelines.
• No broad confirmed in-the-wild exploitation was reported at disclosure, but the exposure is serious.

Summary: GitHub comments became an agent control channel

Researchers disclosed a prompt injection technique that can hijack AI coding agents operating inside GitHub workflows. The issue affects tools tied to Anthropic, Google, and Microsoft, and matters because the agents may process attacker-controlled repository content while holding access to sensitive CI/CD context, credentials, and automation tools, according to SecurityWeek.

What We Know

Public reporting on April 16, 2026 described research led by Aonan Guan showing that a single prompt injection pattern could work across several popular AI coding agents integrated with GitHub workflows. The reported targets included Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent. The attack path relies on the agents consuming repository content such as pull request titles, issue bodies, and comments as part of their working context.

As Cybernews noted, the technique was framed as “Comment and Control,” a prompt injection class where attacker-supplied GitHub text steers agent behavior during GitHub Actions runs. The reporting indicates the vendors paid bug bounties, but public disclosure artifacts such as CVEs or formal advisories were limited or absent at the time the issue was widely reported. That leaves defenders with a visibility gap, especially if they rely on default workflow configurations or older agent implementations.

What Could Happen

This incident is best understood as an indirect prompt injection problem combined with over-trusted automation. The vulnerable pattern appears when an AI agent reads attacker-controlled content and treats it as part of the instruction set for a privileged task. In a GitHub workflow, that can mean the agent is influenced into running commands, fetching environment data, or surfacing sensitive values inside comments, findings, or logs.

The risk grows because agentic development tools sit close to secrets, source code, and automation pathways. As The Next Web reported, the demonstrated attacks did not need traditional external command-and-control infrastructure. The model could be induced to return stolen values directly through the development workflow itself. This is exactly why prompt injection becomes more dangerous when models are connected to tools and execution layers. The issue is not just bad input handling. It is the combination of untrusted context, agent autonomy, and access to high-value systems.

Why It Matters

For security teams, the core lesson is that AI coding agents can turn everyday collaboration features into attack surfaces. GitHub comments and issue text normally look harmless, but once an agent treats them as operational context, they can become a vehicle for instruction smuggling. That raises the chance of credential exposure, poisoned outputs, and untrusted automation decisions inside software delivery pipelines.

The broader implication is supply chain exposure. Organizations increasingly depend on external models, hosted services, and integrated development tooling, which means one weakness in agent behavior can ripple through repositories, pipelines, and downstream environments. That aligns with the concerns described in PointGuard AI’s overview of AI supply chain security, where dependencies, integrations, and opaque third-party components widen the effective attack surface. For governance teams, incidents like this also reinforce the need for stronger controls over AI behavior, data boundaries, and approval workflows before agent use scales further.

PointGuard AI Perspective

This incident shows why securing AI agents requires more than static guardrails or one-time testing. Organizations need controls that account for how models interact with tools, workflows, and untrusted external content in real time. PointGuard AI helps reduce this risk by improving visibility into where agent-driven workflows connect to sensitive systems, third-party components, and privileged automation paths.

PointGuard AI also supports stronger governance over agent behavior, helping teams define what AI systems are allowed to access, what actions they can take, and how risky interactions should be monitored or blocked. That matters in scenarios like this one, where the security failure is not a single bad prompt but a breakdown in trust boundaries across the workflow. PointGuard AI’s approach to AI governance and runtime control helps organizations reduce exposure from prompt injection, supply chain complexity, and unsafe autonomous behavior. The path to trustworthy AI adoption depends on treating agent workflows as security-critical systems, not convenience features.

Incident Scorecard Details

Total AISSI Score: 6.9/10

Criticality = 8, The affected agents can operate near source code, workflow secrets, and CI/CD execution paths, AISSI weighting: 25%
Propagation = 8, The pattern appears reusable across multiple agent frameworks and GitHub-based workflows, AISSI weighting: 20%
Exploitability = 4, Public proof of concept and disclosure exist, but broad active exploitation was not confirmed in reporting, AISSI weighting: 15%
Supply Chain = 8, The risk is amplified by dependence on third-party agent tooling and hosted AI integrations, AISSI weighting: 15%
Business Impact = 6, The exposure is high risk and could lead to serious compromise, but material real-world damage was not confirmed at disclosure, AISSI weighting: 25% (SecurityWeek)

Sources

• SecurityWeek: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments
  https://www.securityweek.com/claude-code-gemini-cli-github-copilot-agents-vulnerable-to-prompt-injection-via-comments/
• Cybernews: Researchers hijack popular AI agents from Anthropic, Google, and Microsoft
  https://cybernews.com/security/ai-agents-github-prompt-injection-pattern/
• The Next Web: AI agents hijacked via prompt injection bug bounties, no CVE
  https://thenextweb.com/news/ai-agents-hijacked-prompt-injection-bug-bounties-no-cve‍
• PointGuard AI: What is Prompt Injection?
  https://www.pointguardai.com/faq/prompt-injection‍
• PointGuard AI: Supply Chain Risk Management Solutions
  https://www.pointguardai.com/supply-chain