AI brokers embedded in CI/CD pipelines may be tricked into executing high-privilege instructions hidden in crafted GitHub points or pull request texts.
Researchers at Aikido Safety have traced the issue again to workflows that pair GitHub Actions or GitLab CI/CD with AI instruments equivalent to Gemini CLI, Claude Code Actions, OpenAI Codex Actions or GitHub AI Inference. They discovered that unsupervised user-supplied strings equivalent to problem our bodies, pull request descriptions, or commit messages, may very well be fed straight into prompts for AI brokers in an assault they’re calling PromptPwnd.
Relying on what the workflow lets the AI do, this will result in unintended edits to repository content material, disclosure of secrets and techniques, or different high-impact actions.
