Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Anthropic Claude Code GitHub Action bypass fix (v1.0.94)

Security Patch Release
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

Anthropic shipped claude-code-action v1.0.94 to close a trigger-check bypass in Claude Code GitHub Action, reducing takeover risk for public repositories that run the workflow. The flaw let a single opened GitHub issue slip past the write-access gate when the actor name ended in [bot]. Because the action runs with broad repository permissions, the bug could expose downstream projects to secret theft and workflow poisoning. Anthropic fixed the issue within four days and continued hardening the workflow through spring 2026.

Related Happenings

Miasma GitHub and npm supply-chain campaign

Campaign
First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: A **Miasma** supply-chain campaign has spread through **GitHub** and **npm** abuse, compromising **309 GitHub repositories** and widening the risk of credential theft across devel...

Open Happening

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

GitHub CVE-2026-3854 security patch release

Security Patch Release
First: 29.04.2026 15:41 Last: 29.04.2026 15:41 Sources 1

About this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...

Open Happening

Claude Code deny-rule bypass fix (version 2.1.90)

Security Patch Release
First: 08.04.2026 12:16 Last: 08.04.2026 12:16 Sources 1

About this happening: **Anthropic** released **Claude Code version 2.1.90** last week to fix a command-parsing flaw that could let **user-configured deny rules** silently stop applying when a command e...

Open Happening

Timeline

  1. 04.06.2026 18:15 2 articles · 1h ago

    Anthropic fixes Claude Code GitHub Action trigger-check bypass in claude-code-action v1.0.94

    Mitigation Patch Update

    Anthropic patched a trigger-check bypass in Claude Code GitHub Action that could let a single opened GitHub issue slip past the write-access gate on vulnerable public repositories, and the remediation landed in claude-code-action v1.0.94 after RyotaK of GMO Flatt Security reported the core bypass in January. The same workflow pattern could also expose Anthropic's own action repo and downstream projects that pull the action.

    Show sources
    Open in new tab