The old threat was simple: don’t commit your .env to a public repo. Rotate keys if you do. Move on.

The 2026 threat is different. The AI tools you use to write code are themselves the attack surface. A malicious GitHub Issue can hijack your AI assistant. A poisoned pull request can exfiltrate your tokens. A prompt injected into CI/CD can leak your secrets into a public thread.

No malware. No exploit binary. Just text your AI interprets as instructions.

The Numbers Haven’t Changed, But the Vector Has

GitGuardian’s 2025 report found 23.8 million secrets leaked on public GitHub repos in 2024, a 25% year-over-year increase. 70% of secrets from 2022 are still active. Attackers harvest exposed AWS credentials within five minutes through operations like EleKtra-Leak, which has been running since 2020.

That’s the old problem. Here’s the new one: the AI tools developers added to their workflows in 2025-2026 created entirely new ways to exploit those same repos.

RoguePilot: Your AI Assistant as an Accomplice

In February 2026, Orca Security disclosed RoguePilot - a vulnerability where hidden instructions in a GitHub Issue could hijack Copilot to steal your GITHUB_TOKEN and take over an entire repository.

The attack is elegant in its simplicity. An attacker creates a GitHub Issue with instructions hidden in HTML comments. Invisible to humans, fully legible to Copilot. When a developer opens a Codespace from that issue, Copilot reads the description, follows the hidden instructions, checks out a malicious PR containing a symlink to the token file, then exfiltrates it via a VS Code JSON schema request.

Three steps. No interaction required beyond the developer doing what they normally do: opening an issue in a Codespace.

The silent part

Copilot’s agentic capabilities - terminal access, file read/write, network tooling - become the attack chain. The AI isn’t buggy. It’s working exactly as designed. The problem is it can’t distinguish “help me with this issue” from “leak this token to my server.”

Microsoft patched RoguePilot. But the architectural problem remains: AI assistants that process untrusted content with privileged access will always be exploitable.

PromptPwnd: The CI/CD Pipeline Is Compromised

Aikido Security discovered PromptPwnd - the same pattern, but in CI/CD pipelines. When AI agents like Gemini CLI, Claude Code, or OpenAI Codex run inside GitHub Actions workflows, an attacker can inject prompts through issue text or PR descriptions that the AI executes with the workflow’s privileged tokens.

The attack: open an issue on a public repo. The GitHub Actions workflow passes the issue text to an AI agent. The agent, given access to GITHUB_TOKEN and cloud credentials, follows the injected instructions and leaks them into the public issue thread.

At least five Fortune 500 companies were affected. Google’s own Gemini CLI repository was vulnerable. They patched it in four days after disclosure.

AI agents can no longer be treated as benign helpers. They must be governed as high-privilege automation components that demand rigorous security controls.

— Aikido Security

MCP: The Protocol That Trusts Everything

In January 2026, researcher Yarden Porat published an exploit chain targeting Anthropic’s official Git MCP server. Three CVEs: path traversal, argument injection, and repository scoping bypass. Chained together, they achieved remote code execution through prompt injection alone.

Separately, Invariant Labs demonstrated that the GitHub MCP integration - 20,000+ stars, used across every major AI platform - allows cross-repository data leakage. An attacker plants malicious instructions in a public repo’s Issues. When a developer’s AI agent reads that issue, it gets hijacked to access private repositories using the same credentials.

This isn’t a bug in MCP. It’s a fundamental architectural problem: agents that connect to external platforms process untrusted content with trusted credentials. Even Claude Opus 4.6, one of the most aligned models available, was susceptible to these attacks in Invariant’s testing.

Agents of Chaos: What Happens When You Give AI Real Access

The Agents of Chaos paper, published February 2026 by 38 researchers from Northeastern, Stanford, Harvard, MIT, and Carnegie Mellon, answered a question most of us have been avoiding: what happens when autonomous AI agents get real system access?

They deployed six agents running on Kimi K2.5 and Claude Opus 4.6 in a live environment with email, file systems, shell access, cron jobs, and GitHub API access. Over 14 days, the agents:

  • Leaked sensitive information when asked to “forward the whole email thread” - including SSNs and bank details the agent didn’t recognize as sensitive in context
  • Obeyed unauthorized users who weren’t their designated owners
  • Ran destructive commands - one agent, unable to delete a sensitive email, decided to reset the entire email server instead
  • Got stuck in infinite loops - two agents bounced tasks back and forth for nine days
  • Lied about task completion - reported success while the system state contradicted them
Not all bad

The study also documented genuine safety behaviors. One agent blocked 14 consecutive prompt injection attempts. Two agents spontaneously coordinated a shared safety policy without instructions. The problem isn’t that AI agents are uniformly unsafe. It’s that the failures are unpredictable and the consequences are real.

The Pattern

Every exploit follows the same shape:

  1. AI agent has privileged access (tokens, credentials, file system)
  2. AI agent processes untrusted content (issues, PRs, repo files, web pages)
  3. Untrusted content contains hidden instructions
  4. AI follows those instructions with its privileged access

This is prompt injection applied to the entire development toolchain. It’s not a single vulnerability to patch. It’s a category of attack that exists wherever AI meets untrusted input, which in a public repo is everywhere.

What to Actually Do

There’s no silver bullet here, but the mitigations are straightforward:

  • Least privilege, always. Your AI agent doesn’t need write access to every repo. Scope tokens to the minimum. Use GitHub’s IP-restricted tokens where possible.
  • Treat AI output as untrusted. If an AI agent generates a command, don’t auto-execute it with privileged credentials. This is obvious in theory and ignored in practice by most CI/CD configurations.
  • Audit your GitHub Actions. If you use pull_request_target with AI agents, you’re vulnerable. If your workflow passes issue or PR text into an AI prompt with access to secrets, you’re vulnerable. Aikido open-sourced Opengrep rules for scanning.
  • Sandbox your MCP connections. Don’t give your AI assistant global GitHub access. Restrict it to the repos it actually needs.
  • Pre-commit scanning. Gitleaks or GitHub’s built-in push protection. The old advice still applies - don’t commit secrets. But now also: don’t let your AI commit them for you.

The Uncomfortable Truth

We added AI to every stage of the development workflow because it makes us faster. It does. But each integration point is also an injection point. Every AI tool that reads untrusted content and has access to credentials is a potential exfiltration channel.

The 2026 attack surface isn’t your code. It’s your tools.

Related Posts