Comment and Control exposes GitHub AI agents

This is the clearest warning yet that agentic coding workflows are shipping with a broken trust boundary, not just a few bad prompts.

• –The attack does not rely on exotic infra bugs; it works by turning ordinary GitHub content that agents must read into malicious instructions.
• –Claude, Gemini, and Copilot each failed in different ways, which makes this bigger than a single vendor miss and points to a category-wide design flaw.
• –Copilot is the most alarming case because even added runtime defenses like env filtering, secret scanning, and network restrictions were reportedly bypassed.
• –Exfiltration through PR comments, issue comments, or git commits means the leak path can blend into normal collaboration activity instead of looking like classic malware traffic.
• –For teams deploying AI reviewers or coding agents in CI, the practical lesson is simple: never let untrusted input, shell access, and production secrets share the same execution context.