← Back to Blog March 15, 2026 · OpenGuard Team A poisoned GitHub issue told a coding agent to read a private repository the user never pointed it at, then post the contents in a public pull request. The agent did it. The system gave it broad repository access, and the user had already clicked Always Allow.1 That same month, Operator shipped with a 23% prompt-injection success rate after mitigations across 31 browser-agent test scenarios. Agent Security Bench published an 84.30% attack success ...