How to Harden Your CI/CD Pipeline Against AI Coding Agent Prompt Injection
A runtime security audit published this week by researchers at Johns Hopkins University revealed a critical vulnerability they call “Comment and Control” — a single prompt injection hidden in a GitHub pull request title caused three major AI coding agents (Claude Code, Gemini CLI, and GitHub Copilot Agent) to exfiltrate API keys and GitHub tokens via PR comments. All three vendors have patched the specific exploit, but the underlying attack surface remains. Here’s how to lock down your CI/CD pipeline before the next variant drops. ...