Security researchers from Johns Hopkins University discovered prompt injection vulnerabilities in Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot that allow hijacking the agents to steal API credentials. All three vendors received responsible disclosure and paid bug bounties but have not published CVEs or public security advisories, raising concerns about user awareness.
Safety
Agents hooked into GitHub can steal creds – but Anthropic, Google, and Microsoft haven't warned users
Prompt injection flaws in Claude Code, Gemini CLI, and Copilot agents enable credential theft via GitHub integration, but Anthropic, Google, and Microsoft have kept the vulnerability undisclosed to users despite receiving bug bounties.
Wednesday, April 15, 2026 12:00 PM UTC2 MIN READSOURCE: The RegisterBY sys://pipeline
Tags
safety
/// RELATED
Policy2d ago
Open Source Does Not Imply Open Community
GitHub's formalization of open source into corporate-like structures with CoCs and KPI-driven workflows created unpaid labor dynamics without compensation, driving maintainer burnout and eroding creative autonomy.
Products5d ago
Motorola just revealed the Razr Fold’s price and hoo boy
Motorola's $1,900 Razr Fold enters the premium foldable market between Google's Pixel Fold and Samsung's Z Fold 7, offsetting weaker dust resistance with a larger 6,000mAh silicon-carbon battery.