Notifications
Clear all
Topic starter
12/06/2026 9:19 pm
TL;DR: A critical prompt injection flaw in Google’s AI-powered GitHub workflow let an external attacker exfiltrate workflow secrets, pivot through repository tokens, and reach full supply-chain compromise across gemini-cli and at least eight other Google repositories, according to Pillar Security. The breach shows that prompt hardening alone does not contain agentic CI/CD risk.
NHIMG editorial — based on content published by Pillar Security: My Agentic Trust Issues, from prompt injection to supply-chain compromise on gemini-cli
Questions worth separating out
Q: What breaks when an AI triage agent can read public issues and reach repository secrets?
A: The trust boundary breaks immediately.
Q: Why do AI agents in CI/CD increase NHI governance risk?
A: They increase risk because they can sit between untrusted triggers and real credentials with enough runtime privilege to act on both.
Q: How do security teams know if prompt injection is becoming a real compromise path?
A: Look for the lethal trifecta: access to private data, exposure to untrusted content, and external communication in the same workflow.
Practitioner guidance
- Disable credential persistence in checkout Set persist-credentials: false on every workflow that processes public issues, pull requests, or other untrusted inputs so tokens are not written into .git/config on the runner.
- Remove filesystem read paths from AI triage steps Review agent permissions so issue triage jobs cannot read runner files, parent-process environment variables, or other workspace artifacts that can be exfiltrated after prompt injection.
- Gate public triggers before agent execution Require author-association checks, trusted labels, or equivalent human validation before any public issue can invoke an AI agent that has tool access or external connectivity.
What's in the full article
Pillar Security's full research covers the operational detail this post intentionally leaves for the source:
- The exact prompt-injection payload used to turn issue triage into secret extraction.
- The workflow-by-workflow escalation path from initial token leakage to contents:write access.
- The patch changes in Gemini CLI and run-gemini-cli that altered tool allowlisting behaviour.
- The disclosure timeline and Google repository scope analysis behind the broader blast radius.
👉 Read Pillar Security's research on prompt injection and gemini-cli supply-chain compromise →
Gemini-cli prompt injection and supply chain compromise risk?
Explore further
12/06/2026 11:18 pm
Prompt injection in CI/CD is a privilege escalation problem, not a prompt-quality problem. The post shows that the agent did not need to be tricked into revealing a secret by name. It only needed access to untrusted text, file reads, and external communication, which is enough to convert issue triage into a credential-extraction path. The practitioner conclusion is that the control question is privilege shape, not model cleverness.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent in a pipeline leaks credentials and enables code push access?
A: Accountability sits with the team that designed the workflow permissions and the controls around it, not with the model. The issue is governance over delegated execution, secret persistence, and workflow pivot rights. Frameworks such as the OWASP Agentic AI Top 10 and NIST CSF help map that accountability to access control, logging, and recovery duties.
👉 Read our full editorial: Prompt injection in gemini-cli exposed supply chain compromise
