Anthropic, Google and Microsoft Quietly Closed AI Agent Bugs Without CVE and Warnings

The problem with AI agents in development turned out to be not theoretical: security researcher Aonan Guan demonstrated that tools from Anthropic, Google, and Microsoft built into GitHub Actions can be intercepted through prompt injection and turned into a channel for secret leakage. In all three cases, the agent needed only to read text prepared by an attacker in an ordinary work context, after which it would publish API keys, GitHub tokens, and other CI environment data on its own. The attack was named Comment and Control.

Its essence is that malicious instructions are hidden not in a separate exploit or external server, but directly in GitHub data that the agent is already obligated to read for its work: in the pull request header, in the issue description, in comments, and in one scenario, even in a hidden HTML comment. After this, the agent perceives the text not as data, but as a command. From there, the scheme is simple: the bot reads the injected instruction, executes the needed action, extracts secrets from the GitHub Actions runtime environment, and returns the result back to GitHub itself — for example, in a PR comment, an issue comment, a commit, or a pipeline log.

In the case of Anthropic, the vulnerable component was Claude Code Security Review — a GitHub Action for checking pull requests for security issues. Guan showed that it was enough to inject a payload into the PR header for the agent to execute commands and include the result in its JSON response, which was then published in a comment. According to the researcher's timeline, the report to Anthropic was sent on October 17, 2025, the company assigned CVSS 9.

4 severity to the issue, and on November 25 paid out $100 bug bounty. The fix amounted to partial restriction of dangerous calls and updating the security considerations section in the documentation, but the company did not issue a public security advisory or a separate CVE. A similar scenario worked against Google Gemini CLI Action.

Here the attacker added text to issues and comments that was disguised as a trusted context fragment and overrode the model's protective instructions. As a result, the agent published its own GEMINI_API_KEY as a regular comment. According to Guan's timeline, Google received the report on October 29, 2025, and on January 20, 2026, paid out $1,337.

GitHub Copilot Agent, which belongs to Microsoft's product line, had an even more interesting scheme: the malicious instruction was placed in an HTML comment, invisible to humans in the Markdown render, but readable by the agent. After being assigned a task, Copilot followed these instructions despite additional protective layers like environment filtering, secret scanning, and network restrictions. GitHub initially closed the report as informative, then after further review reopened it and on March 9 paid out $500.

The most unfortunate conclusion here is not about the bounty size, but about the disclosure model. Neither Anthropic, nor Google, nor GitHub issued public warnings in the format customary for security, and CVEs for these cases never appeared. This means that teams that pinned older versions of actions or integrations could have never learned about the risk.

For vulnerability scanners, such a problem as if doesn't exist, because it has no standard identifier. For security teams, it's harder to put under control, track in registries, and tie to internal patching procedures. Formally, companies could consider prompt injection not a classical bug in code, but a side effect of agent architecture, but from a practical standpoint the consequences are the same as with any critical vulnerability: leakage of access keys and tokens from the environment where automation runs.

The story is also important because it challenges a basic assumption underlying the entire wave of AI automation in development. An agent is simultaneously given access to untrusted user input, to command execution tools, and to sensitive secrets, because otherwise it cannot do useful work. It is precisely this combination that creates systemic risk.

If the industry continues to embed such agents in code review, triage, deployment, and CI/CD without a proper isolation model and incident disclosure procedure, attacks like this will become not an exception, but a regular part of the threat model.