Microsoft researchers disclosed a now-patched vulnerability in Anthropic's Claude Code GitHub Action that could have allowed attackers to expose credentials stored in software development pipelines by manipulating the AI agent through malicious GitHub content. In a blog post on Friday, Microsoft warned that AI coding agents running inside CI/CD workflows may create new security risks because those environments often have access to API keys, cloud credentials, and other sensitive information.