Fetching from the wire…
Top 5 · 2026-07-15 · source-backed
This is the agent-security story of the week, and it needs no code to work. Noma Security disclosed GitLost (CVE-2026-44246) on July 6. An unauthenticated attacker posts a crafted issue on a public org repo. The AI agent (Claude or Copilot) triggers on issues.assigned, reads the issue, and follows instructions hidden in plausible corporate-sounding English, using an "Additionally" prefix to slip past guardrails. Because the agent holds read access to other org repos, it copies a private repo's README into a public comment via add-comment. Zero credentials. Zero exploit code. Just prose. (ExplainX)
The Hacker News thread hit 174 points and split on the usual line: misconfiguration or systemic agent risk? I land on systemic. The root cause is CWE-1427, untrusted input treated as instructions, the same class as the tj-actions and GhostAction supply-chain attacks. The agent has no reliable way to tell "text the user wrote for me to act on" from "text a stranger wrote to weaponize me." That's not a config bug you patch once. It's the architecture.
It rhymes with two other findings this week. The Memory Heist, where a researcher chained hyperlinks to defeat Claude.ai's web_fetch URL guard and made Claude type a user's name, employer, and hometown letter-by-letter into a fake Cloudflare turnstile, no permission prompt, while the user only asked about a coffee shop. (Ayush Paul) And the broader MCP pattern, where untrusted tool output flowing back into context (Sentry events, wiki SSRF, exposed inspectors) is now the prompt-injection frontier. (Vulnerable MCP) Same disease. The payload arrives in what the model reads as trusted, not in the user's message.
What I'd do: scope agent tool grants to the blast radius you can tolerate on your worst day. An agent that triages public issues does not need read access to private repos, full stop. If it responds to public content, it should have no capability to read or write anything private. Treat every byte an agent reads from an issue, a webpage, a ticket, or an MCP result as attacker-controlled, because it is. Christian Schneider's dual-LLM quarantine pattern is the structural answer: route untrusted content through a powerless model that can summarize but can't act, and never let raw tool text back into the privileged instruction stream. (Christian Schneider) Content filtering alone won't save you here.
Each link below shares sources, entities, or timing with this story.
Claude uses MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Claude uses MCP); both cover CLAUDE, Copilot, CVE, English; overlapping topics (access, agent, claude, gitlost, issue).
BlueRock criticizes MCP / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (BlueRock criticizes MCP); both cover LLM, MCP, SSRF, Treat; overlapping topics (agent, tool).
Cursor uses MCP / Shared entities / Same source / Shared topic / Earlier coverage
Linked by a graph relationship (Cursor uses MCP); both cover Christian Schneider, CLAUDE, CVE, MCP; cite the same source (Christian Schneider).
Cursor uses MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Cursor uses MCP); both cover CLAUDE, CVE, MCP, Sentry; overlapping topics (agent, claude, code).
Claude uses MCP / Shared entities / Same source / Shared topic
Linked by a graph relationship (Claude uses MCP); both cover Ayush Paul, CLAUDE, Cloudflare, URL; cite the same source (Ayush Paul).
Anthropic released MCP / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic released MCP); both cover CLAUDE, LLM, MCP, SSRF; overlapping topics (agent, claude, code).
Cloudflare supports MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Cloudflare supports MCP); both cover MCP, SSRF, The Hacker News, URL; overlapping topics (agent, code, instruction, user).
Anthropic released MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover Claude, Copilot, MCP, Same; overlapping topics (agent, claude, code).