Researchers Show How a Fake GitHub Comment Can Trick AI Tools Into Leaking Secret Code

A crafted public comment on GitHub can manipulate AI-powered automation into handing over data from private repositories, no password required.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial 16:9 image
Share

Key points

  • Researchers demonstrated in 2025 that a single malicious public comment on GitHub can redirect AI-driven workflows into exposing private repository data.
  • The attack requires no stolen password or insider access; the AI assistant does the work for the attacker.
  • The vulnerability sits in how AI "agents", meaning software that reads instructions and acts on them automatically, process untrusted text.
  • GitHub agentic workflows are used by development teams at companies of every size to automate coding tasks.
  • No patch has been publicly confirmed as of the time of reporting.

A team of security researchers has shown that AI-powered coding assistants built on top of GitHub can be manipulated into leaking private source code by doing nothing more than posting a carefully worded comment in a public forum. The finding, first reported by SecurityWeek, is a clean illustration of a class of attack called prompt injection, where an attacker hides instructions inside ordinary-looking text and tricks an AI system into following them instead of its real orders.

To understand why this matters, picture a factory robot that takes instructions from a clipboard. Normally only the foreman writes on that clipboard. Prompt injection is the equivalent of a stranger sneaking in and scribbling new orders at the bottom of the page. The robot cannot tell the difference.

GitHub is the world's largest platform for storing and sharing software code. Many companies now pair it with AI "agents", which are automated programs that can read code, respond to questions, open tickets, and carry out tasks without a human clicking buttons. These agents are powerful precisely because they can act on their own.

The researchers crafted a malicious GitHub Issue, the public comment and bug-report system any user can post to, in a way that the AI agent would interpret as a command. The agent then fetched data from the company's private repositories, which are the locked, internal vaults where sensitive code lives, and exposed it. No login. No brute-force attack. Just text.

How does this affect ordinary people?

If your employer, bank, hospital, or favourite app stores its software on GitHub and uses AI automation, this attack could expose the internal code that runs those services. Leaked source code can reveal security weaknesses that criminals use in follow-on attacks, which can ultimately lead to stolen customer data.

Development teams should audit what permissions their AI agents hold and apply the principle of least privilege, meaning agents should only have access to the specific repositories they genuinely need. Organisations should also treat any text an AI agent reads from a public source as untrusted input, and build checks that flag unusual data-retrieval requests before the agent acts on them. Training developers to recognise that AI tools can be manipulated through text, not just through code, is a practical and undervalued defensive step.

The researchers have not disclosed the full technical details publicly, which is standard practice while a fix is in progress.

© 2026 Threat Vectr