A critical prompt-injection vulnerability in GitHub Agentic Workflows could allow unauthenticated attackers to leak private repository data. A single crafted GitHub Issue was enough to trick the AI workflow into pulling content from private repos and posting it publicly. The agent had broad read access and treated user-submitted text as executable instructions rather than untrusted input, requiring no credentials from the attacker.
Gidi Cohen, CEO & Co-Founder, Bonfy.AI had this to say:
“This disclosure shows that AI-powered automation is now a real exfiltration risk, not a theoretical one, and leaders need to treat it with the same seriousness as SQL injection. A single crafted GitHub Issue was enough to trick an AI workflow into pulling content from private repositories and posting the results publicly, because the agent had broad read access and treated user text as executable instructions rather than untrusted input.
The deeper lesson is structural: an AI agent’s context window is effectively its attack surface, and anything it reads, such as issues, pull requests, comments, files, tickets, can be weaponized if the system does not enforce clear boundaries between ‘data’ and ‘commands.’ This is bigger than GitHub. Any agentic AI wired into production systems, given powerful credentials, and controlled through natural language creates a new, systemic vulnerability class. Executives should assume prompt injection is inevitable and focus on governance: enforce least-privilege access for agents, strictly constrain what they can post or expose publicly, and mandate sanitization or filtering of all user-controlled content before it reaches AI workflows.
The questions leaders should now be asking their teams are simple and pointed: where are AI agents plugged into our workflows, what can they read and write, and what stops a single malicious ticket, issue, or chat message from triggering a large-scale leak? Framed well, this becomes a ‘responsible automation’ stance: we will move fast with AI, but not by blindly expanding our attack surface in ways we do not understand.”
Again, this illustrates that organizations need to have defenses that are on point. Because we’re seeing good guys come out with exploits quickly. Which means that the bad guys will come out with exploits quicker.
The CISA Scanning Fed Software with Anthropic Mythos
Posted in Commentary with tags Anthropic on July 8, 2026 by itnerdReuters reports that the CISA is said to be using Anthropic’s Mythos AI model to scan federal government software for security vulnerabilities. The CISA’s Attack Surface Evaluation team is using the model to audit source code and identify flaws that could be exploited by cybercriminals or nation-state actors.
The initiative is part of a pilot program to evaluate whether AI can accelerate software security reviews across government systems. Reuters reports that Mythos has identified multiple vulnerabilities during testing, although specifics on the number of vulnerabilities, severity, or affected software are not disclosed.
Bronwen Aker, AI Research & Strategy Analyst, Black Hills Information Security:
The federal government can’t seem to decide what it thinks about AI in general, or Mythos, in particular. One week Anthropic is a supply-chain risk, the next week CISA is handing Mythos the keys to scan federal code for vulnerabilities. That inconsistency would be bad enough to start with, but because it’s not clear what Mythos is actually scanning, it’s much, much worse. Is this government-written code, or software built by third-party contractors and vendors? In-house bugs are one problem. Vendor bugs running across federal systems are a supply chain problem, and the public has a right to know which one this is.
Chris Traynor, Penetration Tester at BHIS and Instructor at Antisyphon:
Software code review and analysis is nothing new. Realistically, most issues found are not exploitable without very specific conditions being met (i.e. – the vulnerable function needs to actually be invoked and exposed to the attacker in order to be abused).
I believe AI vulnability scanning will likely find many new and novel issues that were simply too complex to identify with legacy tools before. But added complexity can cause limitations exploitability. AI scanning will likely produce a lot of unactionable output very quickly that will need to be reviewed by experts to find the real risks.
Seemant Sehgal, Founder & CEO, BreachLock:
“AI finding vulnerabilities in federal code at scale is interesting, but the harder question is what happens after the finding. A vulnerability that exists in a library no one calls, behind a network segment no one reaches, is not the same problem as one sitting in a critical authentication path. Without validating exploitability and reachability, every finding lands with the same weight, and that creates its own kind of risk. The real test of this program is whether the output helps prioritize action or just expands the backlog.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Using AI to scan for vulnerabilities in legacy code while AI generates vulnerable new code on the other end only solves half the problem. CISA pointing Mythos at government codebases is a smart move. I’ve seen federal systems running code that hasn’t had a serious security review in a decade, and a model like Mythos can cover that volume in hours instead of months.
“The blind spot is the generation side. Every federal agency and contractor also has developers writing code with AI assistants, and those tools produce insecure output more often than secure output. Authorization flaws, hardcoded credentials, missing input validation, all shipping by default because the models optimize for “does it run” and skip “is it safe.”
“Combine both facts and you get a treadmill. Mythos finds legacy bugs, teams patch them, and AI coding tools introduce fresh vulnerabilities into the same repos at machine speed. The backlog doesn’t shrink. It gets younger.
“Power grids and water systems are privately run but sit squarely in nation-state crosshairs. CISA can’t harden federal code and call it done. If the agency has a scanning tool this capable, the operators running critical infrastructure need access to it too, because those are the systems that actually keep the lights on.
“I’d want CISA to pair this initiative with secure-generation standards for AI coding tools in federal development, and extend scanning access to critical infrastructure operators. We are draining the pool while the hose is still running.”
I for one would like the CISA to combine vulnerability scanning via AI with human follow up. Because relying on just AI alone is a recipe for failure. This of course ignoring the fact that the Trump Administration seems to flip flop on Anthropic and their potential harms to society. .
Leave a comment »