Microsoft Threat Intelligence disclosed that the Claude Code GitHub Action (Anthropic) was vulnerable to prompt injection attacks that directed the AI agent to read /proc/self/environ and exfiltrate CI/CD environment secrets, including the ANTHROPIC_API_KEY. Anthropic patched the specific vulnerability in version 2.1.128 on May 5, 2026, but Microsoft characterizes the root issue as a structural threat class affecting any AI agent with simultaneous access to untrusted input, a secrets store, and an outbound channel. The immediate patch is specific to Anthropic’s GitHub Action; the architectural risk applies broadly to any vendor’s agentic AI tooling embedded in CI/CD pipelines.