{"id":217978,"date":"2026-04-17T21:35:51","date_gmt":"2026-04-17T21:35:51","guid":{"rendered":"https:\/\/teknomers.com\/en\/they-kidnapped-agents-from-anthropic-google-and-microsoft-for-the-sake-of-science-the-three-companies-paid-up\/"},"modified":"2026-04-17T21:35:54","modified_gmt":"2026-04-17T21:35:54","slug":"they-kidnapped-agents-from-anthropic-google-and-microsoft-for-the-sake-of-science-the-three-companies-paid-up","status":"publish","type":"post","link":"https:\/\/teknomers.com\/en\/they-kidnapped-agents-from-anthropic-google-and-microsoft-for-the-sake-of-science-the-three-companies-paid-up\/","title":{"rendered":"They Kidnapped Agents from Anthropic, Google, and Microsoft for the Sake of Science: The Three Companies Paid Up"},"content":{"rendered":"\n<div>\n<p>Development teams increasingly rely on AI agents for reviewing incidents, analyzing code changes, and executing tasks traditionally handled by humans. However, these systems encounter significant risks when they operate in environments containing <strong>sensitive keys, tokens, and permissions<\/strong>. Recent research highlights the potential dangers of deploying these AI tools without well-defined limits, transforming them from beneficial aids into security threats.<\/p>\n<h2>Understanding the Vulnerabilities<\/h2>\n<p>Alarm bells were rung by <a rel=\"noopener, noreferrer nofollow\" href=\"https:\/\/oddguan.com\/\" target=\"_blank\">Aonan Guan<\/a> and Johns Hopkins researchers Zhengyu Liu and Gavin Zhong, who demonstrated vulnerabilities in three AI agents: Claude Code Security Review from Anthropic, Gemini CLI Action from Google, and GitHub Copilot Agent from Microsoft. Their coordinated communication of these failures concluded in bounty payments from the companies involved, revealing a much larger issue.<\/p>\n<h2>Internal Threats: The \u201cComment and Control\u201d Method<\/h2>\n<p>Guan&#8217;s concept of \u201cComment and Control\u201d explains how the attack occurs. Instead of employing an external infrastructure, the attacker uses the existing GitHub environment as a conduit. By embedding malicious instructions within the titles of incidents or comments, the AI agent processes these as normal workflows, leading to potentially disastrous outcomes.<\/p>\n<p>This method poses significant risks because all three AI agents share a similar operational logic. They read normal content on GitHub, which not only contains third-party text but also the tools and permissions necessary for executing functions. This amalgamation creates vulnerabilities, as the agents can easily misinterpret harmful inputs as legitimate tasks.<\/p>\n<h2>Specific Case Studies<\/h2>\n<p>One clear example involves the Claude Code Security Review. Designed to detect potential security flaws in code changes, it can be exploited by compromising the title of a <em>pull request<\/em>. This led not only to the execution of harmful commands but also to the extraction of sensitive credentials stored in the environment.<\/p>\n<p>Similarly, the Gemini CLI Action faced vulnerabilities that allowed it to disclose the GEMINI_API_KEY through instructions hidden within issues and comments. The GitHub Copilot Agent offered an even more concerning scenario by processing attacks hidden in HTML comments. In each case, seemingly innocuous content manipulated the system\u2019s functionalities, exposing sensitive information.<\/p>\n<h2>Broader Impacts and Implications<\/h2>\n<p>These incidents primarily affect repositories that utilize agents in <strong>GitHub Actions<\/strong>, particularly when they grant access to unverified collaborators. The risk profile significantly depends on configuration settings, as GitHub usually holds back exposing secrets to <em>pull requests<\/em> from <em>forks<\/em>, but some deployments unknowingly open these doors.<\/p>\n<p>Despite the findings prompting bounty rewards\u2014$100 from Anthropic, $1,337 from Google, and $500 from GitHub\u2014there was no public communication or assignment of a <a rel=\"noopener, noreferrer nofollow\" href=\"https:\/\/www.redhat.com\/en\/topics\/security\/what-is-cve\" target=\"_blank\">CVE<\/a> identifier. This lack of transparency means many users might still be working with vulnerable versions unaware of their exposure to risks.<\/p>\n<h2>Looking Ahead: Lessons For The Future<\/h2>\n<p>Guan posits that this pattern is likely replicable in other automated agents, including those connected to tools like Slack and Jira. The fundamental logic remains: if a system requires reading external content to accomplish its tasks and has access permissions, it becomes susceptible to internal manipulation.<\/p>\n<p>The ultimate takeaway for developers and organizations is to prioritize security by adhering to the principle of least privilege. Systems should be configured to allow agents access only to the tools and information necessary for their specific roles. This proactive approach could mitigate future vulnerabilities and help secure sensitive data in increasingly automated environments.<\/p>\n<p>In conclusion, without attending to these security nuances, the deployment of AI tools could unintentionally open the door to substantial risks, affecting both individuals and organizations.<\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/teknomers.com\/category\/general\/\" rel=\"dofollow\">General News &#8211; 2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Development teams increasingly rely on AI agents for reviewing incidents, analyzing code changes, and executing tasks traditionally handled by humans. However, these systems encounter significant risks when they operate in environments containing sensitive keys, tokens, and permissions. Recent research highlights the potential dangers of deploying these AI tools without well-defined limits, transforming them from beneficial [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":217979,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36399],"tags":[12968,37607,1723,4420,13712,11700,687,30199,4318],"class_list":["post-217978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-agents","tag-anthropic","tag-companies","tag-google","tag-kidnapped","tag-microsoft","tag-paid","tag-sake","tag-science"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/217978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/comments?post=217978"}],"version-history":[{"count":1,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/217978\/revisions"}],"predecessor-version":[{"id":217980,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/217978\/revisions\/217980"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media\/217979"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media?parent=217978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/categories?post=217978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/tags?post=217978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}