Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A flaw in Anthropic's Claude Code GitHub Action enabled attackers to hijack repositories by submitting a single GitHub issue. Security researcher RyotaK identified the vulnerability, which allowed complete repository takeover with minimal effort.

The Claude Code action processes GitHub issues to generate code suggestions and automated fixes. The vulnerability stemmed from insufficient input validation when handling issue data. An attacker could craft a malicious GitHub issue containing shell metacharacters or code injection payloads that the action would execute without proper sanitization. This granted the attacker permissions equivalent to the GitHub Actions runner, including the ability to push commits, modify workflows, and deploy code.

The risk extended beyond individual repositories. Anthropic's own Claude Code action repository used the vulnerable workflow internally. An attacker exploiting this flaw could have injected malicious code directly into Anthropic's action repository. This would have propagated the compromise downstream to every organization and developer relying on Claude Code, potentially affecting thousands of projects in a supply chain attack.

The attack required no authentication or special repository permissions. Any user capable of opening a GitHub issue on a public repository running Claude Code could trigger the vulnerability. This low barrier to entry made the flaw particularly dangerous for popular open source projects using the action.

Anthropic addressed the issue after RyotaK's disclosure. The patch implemented proper input validation and shell escaping for issue content before passing data to the action's code execution environment. Organizations running Claude Code should update immediately to the patched version.

This incident underscores a common weakness in CI/CD security. Automation tools that process external user input without strict validation create attack vectors. GitHub Actions that execute code based on issue comments, pull requests, or repository events require especially rigorous sanitization. Developers should review third party actions for input handling practices and apply the principle of least privilege to runner permissions whenever possible.