What happens when AI assistants are given the keys to the kingdom? Security researchers this week demonstrated a fast, simple path from chatty automation to stolen credentials — and say the firms that operate those assistants have left users in the dark.
What researchers found
Researchers discovered and exploited a novel prompt injection technique to hijack three popular AI agents that integrate with GitHub Actions. Using that technique, the researchers were able to extract API keys and access tokens. The findings, described in an exclusive report, show attackers can weaponize agent interactions with Git-hosted workflows to retrieve secrets used for automation and service access.
How vendors responded — or did not
According to the report, the vendors that run the targeted agents did not disclose the vulnerability to their users. The story names Anthropic, Google, and Microsoft as companies that have not warned customers about the issue. The researchers who disclosed the flaws accepted only small, informal "beer money" bounties for their work and cautioned that the problem is likely widespread across agents that connect to GitHub Actions.
Why this matters
- Creds matter: API keys and access tokens are the credentials automation and services use to act without a human in the loop; if they can be extracted, attackers can impersonate services or move laterally through environments.
- Supply-chain exposure: Agents integrated with version-control workflows expand the attack surface of code repositories and build pipelines — so a prompt injection that targets agents connected to GitHub Actions can reach beyond a single repository or developer.
- Disclosure gaps: The report highlights a disclosure and user-notification gap when vendors operate agents. If affected vendors do not inform customers, organizations that depend on those agents cannot take mitigation steps or assess exposure.
- Scale risk: The researchers warned the method is probably pervasive, implying that many agent implementations that accept or execute prompts within Git-integrated workflows could be vulnerable.
Perspective and unanswered questions
From a technologist’s perspective, the finding underscores that novel classes of prompt injection attacks can have consequences beyond garbled responses — they can be a conduit to sensitive secrets. For policy makers and risk managers, the researchers’ account raises questions about vendor disclosure practices and user notification requirements for cloud-native automation security issues.
From a user or defender perspective, the absence of vendor warnings in this case leaves teams uncertain which agents or repositories to inspect, which tokens to rotate, or what compensating controls to apply. From an adversary’s perspective, the report suggests a ready-made path to harvest credentials from automation tied to Git workflows.
The report does not detail mitigation measures announced by the vendors, nor does it include technical indicators of compromise in this summary. It does, however, present a clear risk calculus: when agents are given access to development workflows, the integrity of prompts and the secrets those workflows use become a shared security boundary.
If automation that eases development and operations can be repurposed to steal the very credentials that enable it, how should organizations balance the productivity gains of agents against the new attack surface they introduce?




