The accelerating integration of artificial intelligence into enterprise software development is creating a new and critical attack surface, security researchers have warned. A novel class of vulnerabilities, exposed by connecting AI agents to automated workflows in platforms like GitHub and GitLab, allows attackers to hijack these systems, steal sensitive data, and manipulate code repositories. This emerging threat, which affects widely used tools such as Google's Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference, represents a significant evolution in software supply chain risks, moving beyond traditional code flaws to the manipulation of AI-driven processes.[1][2][3][4][5] The vulnerability highlights a dangerous side effect of the rush to automate development tasks, where the very tools designed for efficiency become conduits for malicious attacks.

At the heart of this new security risk is a technique known as prompt injection, which has been demonstrated to be practical and already present in real-world workflows.[1][4][6] Security firm Aikido Security, which identified and named this class of vulnerabilities "PromptPwnd," found that attackers can embed hidden, malicious commands within seemingly harmless text inputs, such as the titles of bug reports or descriptions in pull requests.[2][5] When an automated AI agent processes this text to perform tasks like issue triage or code summarization, it misinterprets the malicious instructions as legitimate commands.[1][2] This confusion turns the AI agent into an unwilling accomplice, executing actions with the permissions it has been granted within the development pipeline. The core of the problem lies in a common but insecure practice: feeding raw, untrusted user input directly into the prompts that guide these powerful AI models.[2][4][7]

The consequences of such an attack are severe, escalating from simple mischief to critical infrastructure compromise. Because these AI agents are often given high-privilege access tokens to modify code, manage issues, and interact with other systems, a successful prompt injection attack can have a devastating impact.[2][4] Attackers can command the AI to leak sensitive credentials, such as API keys and cloud access tokens, by tricking it into embedding them in a public issue title.[2][5][8] They can also instruct the agent to modify repository data, potentially inserting subtle, malicious code into the software supply chain that could go undetected until it reaches end-users.[1][2] This represents one of the first confirmed demonstrations that prompt injection is not just a theoretical chatbot problem but a practical method for compromising critical CI/CD (Continuous Integration/Continuous Deployment) pipelines.[1][4]

The real-world impact of this vulnerability is not hypothetical. Researchers have confirmed that at least five Fortune 500 companies were affected by this flaw, with strong indications that the issue is widespread.[1][2][4][5] In a notable example of responsible disclosure, Aikido Security discovered that Google's own repository for its Gemini CLI tool was vulnerable to this exact attack pattern.[4][5] An attacker could have submitted a specially crafted issue that would cause the AI agent to leak sensitive project secrets.[5] Google acknowledged the vulnerability and swiftly patched the issue within four days of being notified, underscoring the seriousness of the threat.[2][5] The existence of these vulnerabilities in major corporate and open-source projects demonstrates that as organizations increasingly rely on AI for development automation, they are simultaneously creating a new, largely unexplored attack surface that malicious actors have already begun to target.[4]

In response to these findings, security experts are urging enterprises to adopt a more cautious and security-conscious approach to integrating AI into their workflows. The primary recommendation is to treat AI agents as high-privilege automation components that demand rigorous security controls.[1] This includes strictly limiting the permissions granted to AI agents, disabling high-risk capabilities like shell command execution or direct code modification unless absolutely necessary.[1][4] Another critical step is to never feed untrusted user input directly into AI prompts without thorough sanitization and validation to strip out potential malicious instructions.[2][4] Furthermore, all output from an AI agent, whether it's code, commands, or text, should be treated as untrusted and ideally require human review and approval before execution.[2][4] To aid developers in identifying these flaws, Aikido Security has released open-source scanning tools to detect vulnerable configurations in GitHub Action files.[2][4][6] As AI becomes more deeply embedded in the software development lifecycle, the industry faces the challenge of balancing the drive for automated efficiency with the imperative of securing the foundational pipelines of the digital world.