If you are a CISO, a lead developer, or a modern "vibe coder" in early 2026, you already know that AI agents are fundamentally changing the way we build software. We rely on autonomous tools to review our code, triage our issues, and automate our DevSecOps pipelines. But while we’ve been busy handing over the keys to the kingdom to accelerate our workflows, attackers have been studying how these new digital employees think.
In a traditional cyber attack, hackers look for logic flaws, buffer overflows, or misconfigured firewalls. But in the era of AI-native development, the attack surface has shifted. Security researcher Aonan Guan recently unveiled a devastating new vulnerability pattern dubbed "Comment and Control." This isn't a theoretical sandbox escape. It is a live, cross-vendor prompt injection technique that weaponizes GitHub itself to steal highly sensitive API keys and access tokens from Anthropic Claude Code Security Review, Google Gemini CLI Action, and the GitHub Copilot Agent.
Here is exactly how attackers are turning your AI assistants against you, and how you can lock down your repositories before your credentials walk out the front door.
The "Comment and Control" Attack Vector Explained
If you are familiar with traditional malware, you know about "Command and Control" (C2) servers, external infrastructure set up by an attacker to send instructions to a compromised machine.
"Comment and Control" is a clever play on that concept. Instead of routing traffic to a shady external IP address, the attacker uses GitHub itself as the C2 channel.
The core issue is architectural: AI agents in your CI/CD pipeline (like GitHub Actions) ingest untrusted data, such as pull request (PR) titles, issue descriptions, and user comments. Because Large Language Models (LLMs) cannot inherently distinguish between a legitimate system instruction and malicious user input, an attacker can write a payload disguised as a regular comment. When the AI processes that text, the prompt injection takes over, instructing the agent to execute hidden bash commands and exfiltrate credentials right back into a GitHub comment or a Git commit.
How Three Major AI Agents Were Bypassed
To understand the severity of this threat model, let's break down how this single pattern successfully compromised three of the biggest AI agents on the market.
1. Anthropic Claude Code Security Review
In the case of Anthropic’s automated security review agent, the vulnerability existed right in the PR title. The agent was designed to read the title and use it as context for the code review.
An attacker simply opened a pull request with a malicious title containing bash instructions. Because the PR title was passed into the AI's system prompt without proper sanitization, Claude obediently executed the underlying shell commands. It scanned the environment variables and conveniently posted the ANTHROPIC_API_KEY and the host repository's GITHUB_TOKEN as "security findings" in a PR comment. Anthropic classified this as a Critical CVSS 9.4 vulnerability.
Claude executes the injected commands and embeds the output in its JSON response, which gets posted as a PR comment.
Source: Aonan Guan
2. Google Gemini CLI Action
Google's Gemini CLI Action, an autonomous agent built for routine coding tasks, fell victim to a nearly identical exploit.
Attackers created a GitHub issue featuring a hidden, fake "instruction section" within an issue comment. The AI read the comment, absorbed the malicious instructions overriding its original guardrails, and subsequently published the GEMINI_API_KEY publicly in the issue thread.
3. GitHub Copilot Agent: Breaking Three Layers of Security
The most sophisticated execution of the "Comment and Control" pattern happened against the GitHub Copilot Agent. GitHub actually anticipated attacks and built in three runtime security layers: environment filtering, secret scanning, and a network egress firewall. The prompt injection bypassed all three.
Here is the exact step-by-step breakdown of how the host’s repository was leaked:
- The Invisible Payload: The attacker submitted a GitHub issue containing a malicious payload wrapped inside an HTML comment (``). This is entirely invisible to human developers reading the issue, but the AI model reads the raw text.
- Execution and Environment Bypass: Once a victim assigned the issue to Copilot, the AI triggered the hidden instructions. While GitHub's filters scrubbed sensitive variables from the bash subprocess, the parent Node.js process still held the secrets. The attacker instructed Copilot to run the ps auxeww command, capturing the full environment of the parent process.
- Secret Scanner Bypass: To get past GitHub's secret scanning (which looks for known credential formats like ghp_...), the attacker instructed the AI to encode the stolen environment variables into Base64.
- Firewall Bypass: Because GitHub blocked unauthorized outbound network traffic, the AI couldn't send the data to an external server. Instead, it was instructed to execute a standard git push, an allowed, trusted channel committing the Base64-encoded GITHUB_TOKEN and GITHUB_COPILOT_API_TOKEN directly to the repository where the attacker could retrieve them.
Step-by-Step Guide: How to Stay Safe When Using AI Agents
Prompt injection isn't a traditional software bug that can be fixed with a simple patch; it is an inherent flaw in how language models process context. If you are integrating AI agents into your development pipeline, you must assume the model will eventually be tricked.
Here are the step-by-step actions you must take to secure your CI/CD environments against AI prompt injections:
Step 1: Implement Strict Privilege Isolation
Never run an AI agent with root access or broad repository permissions.
- Action: Assign the principle of least privilege to your AI’s GitHub tokens. If an agent only needs to review code, it should only have read access. It absolutely should not have write access to commit code or push to main branches.
Step 2: Separate Tools from Untrusted Input
The core flaw in "Comment and Control" is that the AI has access to powerful tools (like bash execution) in the exact same runtime environment where it processes untrusted data (like issue comments).
- Action: Sandbox your AI executions. Use ephemeral, isolated containers specifically for AI tasks that contain zero environment variables or secrets. Only pass the exact data the AI needs to function.
Step 3: Sanitize and Strip Hidden Context
Attackers rely on you not seeing the payload.
- Action: Implement pre-processing scripts in your CI/CD workflows that strip HTML comments, invisible characters, and markdown anomalies from PR titles, bodies, and issue comments before they are ever fed to the AI model.
Step 4: Enforce "Human-in-the-Loop" Authorization
Autonomous agents are incredibly fast, but they lack human intuition for deception.
- Action: Require a manual, human approval step before an AI agent is allowed to execute state-changing actions, such as merging a pull request, committing new code, or making outbound API calls.
Step 5: Harden Your Egress Firewalls
Even if the AI is compromised, you can stop the data exfiltration.
- Action: Lock down your runner environments. Block all outbound network connections from the container hosting the AI agent, explicitly whitelisting only the absolutely necessary endpoints (e.g., the specific API endpoint of your LLM provider). Monitor for anomalous git push behaviors.
Conclusion: Adapting to the Agentic Era
The transition to AI-assisted coding is not slowing down; it is accelerating. Tools like Claude Code, Gemini, and GitHub Copilot offer massive productivity boosts that modern engineering teams simply cannot afford to ignore.
However, the discovery of the "Comment and Control" vulnerability is a massive wake-up call for CISOs and developers alike. We can no longer treat AI agents as perfectly secure, infallible assistants. They are powerful, gullible engines that will execute whatever instructions they are given, whether those instructions come from your lead engineer, or a malicious actor hiding in an HTML comment.
By rethinking our architectural boundaries, enforcing strict DevSecOps protocols, and treating every piece of external text as potentially hostile, we can safely harness the speed of AI without handing over the keys to our infrastructure. We recommend checking out Axeploit’s Blogs for more resources and guides on protecting your assets.
