Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories. The issue is among the first, discovered by Invariant's automated security scanners for detecting so-called Toxic Agent Flows. In such a scenario, an agent is manipulated into performing unintended actions, such as leaking data or executing malicious code. For more information, see below. It is highly relevant to raise awareness about this issue at this time, as the industry is racing to deploy coding agents and IDEs widely, potentially exposing users to similar attacks on critical software development tools. Contents Attack Setup In this attack setup, the user is using an MCP client like Claude Desktop with the Github MCP server connected to their account. We assume the user has created two repositories: <user>/public-repo: A publicly accessible repository, allowing everyone on GitHub to create issues and bug reports. <user>/private-repo: A private repository, e.g. with proprietary code or private company data. By standard GitHub rules, an attacker can now create a malicious issue on the public repository, containing a prompt injection waiting for the agent to interact. The actual attack triggers as soon as the user and owner of the GitHub account queries their agent with a benign request, such as Have a look at the open issues in <user>/public-repo, which will lead to the agent fetching the issues from the public repository and getting injected. See below for an illustration of the ensuing flow. As shown here, as soon as the agent encounters the malicious GitHub issue, it can be coerced into pulling private repository data into context, and leaking it in an autonomously-created PR in the public repository, freely accessible to the attacker or anyone else. Toxic Flows We call this use of indirect ...
First seen: 2025-05-27 00:54
Last seen: 2025-05-28 05:58