Indirect Prompt InjectionHigh

GitHub MCP server prompt injection to private-repo exfiltration

May 2025  ·  GitHub MCP server

What happened

Invariant Labs demonstrated that a malicious GitHub issue filed in a public repository could hijack an agent using the official GitHub MCP server (tested with Claude Desktop) into reading the user's private repositories and leaking their contents through a newly created public pull request. The flaw is in the agent-plus-MCP trust model, not the server code, so it cannot be patched server-side alone.

Root cause

The agent treated attacker-authored issue content as instructions while holding cross-repo permissions, so a single poisoned issue could pivot from public to private repositories (a toxic agent flow).

Fix / outcome

Mitigation is architectural: scope MCP tokens narrowly, isolate per-repository context, and require human review of agent-initiated actions. No single server patch resolves it.

Sources

Invariant Labs (discoverer)

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database