GitHub MCP Exploited: Accessing private repositories via MCP. GitHub's official MCP server grants LLMs a whole host of new abilities, including being able to read and issues in repositories the user has access to and submit new pull requests. This is the lethal trifecta for prompt injection: access to private data, exposure to malicious instructions and the ability to exfiltrate information. Marco Milanta and Luca Beurer-Kellner found an exploit that tricks the LLM agent into exfiltrating privat...