The fun with AI is not over! A security firm has found a way to use Github MCP servers to get private data from private repositories if you have set the MCP wrongly: basically granting your MCP server with full access to all your repos. To be discussed how many people do that, but I'm guessing a lot of people will be doing that because it is easier for your agent.

Well, the attack is simple: you just start creating tickets on open repositories on GitHub asking to read all issues. The issue has a prompt that agent will execute and leak data for your for example in a PR or in a comment of your issue.

Prompt injection is going to be a nightmare for cybersecurity.

More here:

The fun with AI is not over! A security firm has found a way to use Github MCP servers to get private data from private repositories if you have set the MCP wrongly: basically granting your MCP server with full access to all your repos. To be discussed how many people do that, but I'm guessing a lot of people will be doing that because it is easier for your agent.

Well, the attack is simple: you just start creating tickets on open repositories on GitHub asking to read all issues. The issue has a prompt that agent will execute and leak data for your for example in a PR or in a comment of your issue.

Prompt injection is going to be a nightmare for cybersecurity.

More here: https://invariantlabs.ai/blog/mcp-github-vulnerability