Security Firm Discover Bug that Turns AI Coding Agents Into Secret-Leaking Insider Threats

Aikido Security revealed a critical vulnerability coined PromptPwnd that affects AI-driven build workflows using tools such as Gemini CLI, Claude Code Actions, OpenAI Codex Actions, and GitHub AI Inference when embedded in GitHub Actions or GitLab CI/CD pipelines.

"At least 5 Fortune 500 companies are impacted, with early indicators suggesting the same flaw is likely present in many others," the company said in a blog post.

PromptPwnd arises when user-supplied content — such as issue titles, pull-request descriptions, or commit messages — is injected directly into AI prompts.

If these prompts are paired with agents given high-privilege tokens and tool access, attackers can manipulate the AI into executing privileged operations: editing repository content, running shell commands, or exfiltrating secrets such as access tokens.

In a demonstration of how PromptPwnd works, researchers submitted a malicious issue containing hidden instructions. The AI misinterpreted them as commands and executed gh issue edit, embedding sensitive tokens publicly in the issue body — effectively leaking credentials.

To help organisations defend against this risk, Aikido has open-sourced detection rules (via its Opengrep tool) and recommends: restricting tool access for AI agents; sanitizing or validating untrusted user input; treating AI-generated output as untrusted code; and limiting the privileges of tokens used in CI/CD pipelines.

This incident marks the first confirmed real-world case where prompt injection has compromised AI-enabled CI/CD systems — highlighting the urgent need for robust security best practices as AI agents proliferate in developer workflows.

Last month, Security researchers at PromptArmor uncovered a major vulnerability in Google’s new AI-powered coding tool, Google Antigravity, that allows attackers to exfiltrate credentials and private code — even when standard safeguards are enabled.