Security engineer Aonan Guan (아오난 구안) disclosed a prompt injection technique dubbed “Comment and Control” that can attack Anthropic Claude Code, Google Gemini CLI and GitHub Copilot Agent at the same time, SecurityWeek reported on Wednesday.

The attack, found with support from researchers at Johns Hopkins University, manipulates common GitHub content such as comments, PR titles and issue bodies to make an AI agent mistake it for legitimate instructions and run commands an attacker wants, SecurityWeek reported.

Guan said that in a Claude Code security review, a specially manipulated PR title could trick an AI agent into executing arbitrary commands and extracting credentials, exposing them in security reports or GitHub Actions logs.

In Gemini CLI Action, an issue comment containing prompt injection bypassed guardrails and stole a full API key.

For GitHub Copilot Agent, the payload was hidden in an HTML comment to bypass environment filtering, scan secrets and exfiltrate data beyond a network firewall.

The Claude Code and Gemini CLI attacks automatically trigger GitHub Actions workflows without victim involvement. For Copilot, the victim must directly assign the issue to Copilot.

Guan said, “This pattern applies to any AI agent that processes untrusted GitHub data and accesses execution tools running in the same runtime as production secrets,” adding, “Beyond GitHub Actions, the injection surface changes for Slack bots, Jira agents, email agents and deployment automation, but the pattern is the same.”

All three companies confirmed the vulnerabilities. Anthropic classified it as “critical” and paid a $100 bug bounty while applying some mitigations. Google paid $1,337. GitHub paid $500 and classified the issue as a known architectural limitation.

Guan said, “This is the first publicly disclosed cross-vendor demonstration that simultaneously attacked three major AI agents with a single prompt injection pattern,” adding, “The fundamental problem is in the architecture. AI agents are designed to handle external inputs and sensitive information such as API keys and tokens together in the same environment. Even if malicious instructions come in from outside, the structure allows immediate access to sensitive information.”