Invariant Labs: Malicious GitHub Issue Hijacked AI Assistant to Exfiltrate Private Repo Data via MCP Prompt Injection

Invariant Labs demonstrated how a malicious GitHub Issue can hijack an AI assistant via MCP prompt injection to exfiltrate private repository names and salary data into public PRs.

GitHub MCPTool execution / MCPPrompt injection via MCP tool outputGitHub repositories / AI assistant with PAT access

What happened

A malicious GitHub Issue contained a hidden prompt injection payload. When an AI assistant with a GitHub MCP connection read the issue, it was hijacked and directed to exfiltrate private repository names and salary data, writing them into public pull request bodies.

Why it matters

Private repository names and sensitive data (including salary information) were written into public GitHub pull requests, exposing confidential organizational data to any viewer of the public repo.

Missing authorization check

AI assistants should not be able to write to public-facing surfaces (PRs, comments) based solely on instructions embedded in untrusted content like issues. Tool outputs from MCP servers must be treated as untrusted input; write operations require explicit human approval.

Would PP block it?

The write action — posting sensitive data into a public PR — is a consequential tool call that should require a signed receipt. PP enforcement layer would block the write until a human authorizes it, breaking the exfiltration chain regardless of the prompt injection payload.

Incident analysis

Timeline and technical read

Timeline

2025-05-26
Invariant Labs publishes research demonstrating GitHub MCP prompt injection: malicious GitHub Issue hijacks AI assistant to exfiltrate private repo data into public PRs.
2025-05-26
No patch issued at the MCP protocol level. Mitigation requires restricting PAT scopes and adding write-action gates.

Technical breakdown

The GitHub MCP server fetched issue content and passed it directly to the AI assistant as trusted instruction context.
The embedded prompt injection payload redirected the assistant's task: instead of processing the issue normally, it was instructed to read private repository data and write it into a public PR.
The assistant held a PAT with excessive scope, granting it read access to private repos and write access to PRs across the organization.
No gate existed between the MCP tool output (untrusted issue content) and the consequential write action (posting to public PRs).

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: MCP tool output, write-to-PR gate, PAT scope enforcement
Still needs: No sanitization of MCP tool output; no gate on write actions triggered by untrusted content
Receipt required for: Writing to public PRs, posting comments containing data from private repositories

A Tool-Call Gate requiring a receipt before write operations would prevent the assistant from posting exfiltrated data into public PRs without explicit human approval.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

High2026-06-05

Microsoft: Claude Code GitHub Action prompt injection exposed CI/CD secrets and evaded GitHub secret scanning

Tool-Call Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop