腾讯网

GitHub评论可触发Claude Code、Gemini CLI和GitHub Copilot的提示注入漏洞

据研究员Aonan Guan介绍,整个攻击过程完全在GitHub平台内部完成:攻击者编写恶意的PR标题或议题评论,AI Agent将其作为可信上下文读取处理,执行攻击者提供的指令,并通过PR评论、议题评论或git提交将凭证外泄,无需外部服务器参与。与传统需要受害者主动要求AI处理文档的间接提示注入不同,"评论控制"攻击具有主动性——GitHub ...

Three AI coding agents leaked secrets through a single prompt injection. One vendor's ...

A prompt injection attack hit Claude Code, Gemini CLI, and Copilot simultaneously. Here's what all three system cards reveal — and don't — about agent runtime protection.
Morning Overview on MSN

Microsoft patches GitHub’s worst vulnerability in years within two hours of disclosure ...

A critical remote code execution flaw in GitHub was patched by Microsoft in roughly two hours after public disclosure, ...
The Hacker News

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

CVE-2026-3854 (CVSS 8.7) enabled GitHub RCE via git push, risking cross-tenant access to millions of repositories.
CSOonline

GitHub Copilot prompt injection flaw leaked sensitive data from private repos

Hidden comments in pull requests analyzed by Copilot Chat leaked AWS keys from users’ private repositories, demonstrating yet another way prompt injection attacks can unfold. In a new case that ...
Bleeping Computer

GitHub projects targeted with malicious commits to frame researcher

GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine ...
Dark Reading

Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects

A pair of security vulnerabilities discovered in the GitHub environments of two very popular open source projects from Apache and Google could be used to stealthily ...