Skills
Docker MCP Horror Stories Part 3: GitHub Prompt Injection Data Heist — Malicious Issue Poisons AI Assistant Into Exfiltrating Private Repos via PAT
Docker's latest MCP Horror Stories documents a real attack: researchers planted prompt injection in a public GitHub issue; when a developer's AI assistant reviewed open issues, the agent ingested hidden instructions and used the developer's Personal Access Token to access private repos and leak contents into a public PR. Root cause: MCP GitHub integrations use broad PATs granting AI agents access to every repo the user can reach. Docker recommends scoping tokens to minimum-necessary repositories.
Source
↳ Follow the thread