Protecting AI Security: 2025 Hot Security Incident
Security Boulevard, Monday, February 23rd, 2026
In May 2025, Invariant disclosed a critical vulnerability in GitHub's Machine Collaboration Protocol (MCP), where attackers embedded malicious commands within public repository Issues to hijack developers' locally running AI Agents.
When an AI Agent was triggered to read and 'assist' in processing the Issue, it indiscriminately executed the embedded commands, actively pulling and exfiltrating sensitive data-such as private repository source code and cryptographic keys-from the user's private repositories. This attack chain entirely bypassed GitHub's permission control system, enabling unauthorized cross-repository data theft.
The incident exposed significant blind spots in the MCP protocol's trust boundary definitions. At the protocol level, there is a lack of mandatory isolation mechanisms to distinguish between 'call origins' and 'data content.' GitHub's MCP integration fundamentally operates as a nested RPC call chain: AI Agent → MCP Server → GitHub API → Issue Content Parsing.