$ research-item --score 25 --exploit none

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

Priority score: 25
Confidence: high
Exploit status: none — No public exploitation signal captured by the configured pipeline yet.
CISA KEV: No CISA KEV match captured in configured source data at generation time.
Published/observed: 2026-06-04

What happened

A security researcher found a flaw in Anthropic’s Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic’s own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO

Why it matters

The item was promoted because the pipeline observed: priority score 25, exploit status none, confidence high.
No CVE was extracted from the source story yet, so this should be treated as a news/campaign cluster until primary technical identifiers are found.
No PoC signal was detected by the current pipeline unless shown elsewhere on this page.

Evidence collected

NEWS: Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Exploitation and PoC status

Current automated assessment: No public exploitation signal captured by the configured pipeline yet.
Public exploit/PoC: No PoC source captured yet by the configured pipeline.
Exploited in the wild: Not confirmed by configured sources at generation time.
Ransomware association: No ransomware association captured at generation time.

Dark web / low-confidence chatter

AlienVault OTX pulse: Argamal: Malware hidden in hentai games
AlienVault OTX pulse: Preinstall to persistence: Inside the npm Miasma credential-stealing campaign
AlienVault OTX pulse: Browser Spy-Ons: Threat Actor’s Extension Hijack Your AI Conversations
AlienVault OTX pulse: The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
AlienVault OTX pulse: PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network
AlienVault OTX pulse: Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

Defender actions

Immediately review GitHub Actions workflows using ‘anthropic/claude-code-action’; pin to a safe version (e.g., v1.2.3) or disable.
Implement GitHub Actions permissions at minimum required scope: set permissions: read-only and restrict contents to write only for necessary jobs.
Enable GitHub Actions require approval for first-time contributors and fork pull requests in repository settings.

Exposure validation ideas

Search asset inventory for affected vendor/product names and any CVE reference.
Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Research links

Open questions

Is there a primary vendor advisory with exact affected versions and fixed versions?
Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
Are there credible PoC repositories or only secondary reporting mentioning PoC?
Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-04T19:53:41+00:00

← back to today