You trust your AI coding assistant to write clean, secure code. But what if that same assistant was silently leaking your most sensitive secrets to attackers, simply because a malicious GitHub comment told it to? That’s exactly what happened in a new wave of attacks that security researchers are calling one of the most overlooked enterprise security risks of 2026.
Three major AI coding agents were found to be vulnerable to a surprisingly simple technique: prompt injection via GitHub comments. By embedding hidden commands in code review comments or pull request descriptions, attackers could trick these AI agents into outputting API keys, access tokens, and other credentials that they had previously helped generate or access.
In This Article
What Happened: The Attack That Started It All
It started with a research project from the team at Reworkd AI. They discovered that when an AI coding agent scanned a codebase containing both secrets and malicious comments, the agent would dutifully extract those secrets and include them in its output. The attack worked because the AI was trained to be helpful and follow instructions within context, even when those instructions came from an untrusted source.
According to the researchers, the same prompt injection payload worked across multiple AI coding agents from different vendors. One vendor’s own system card had actually predicted this vulnerability before it was exploited, yet the issue remained unpatched for months.
The scale of the problem became clear when security researchers audited public repositories. They found that over 28 million credentials were leaked on GitHub in 2025 alone, and a significant portion of those exposures were directly linked to AI coding agents behaving in ways their creators never intended.
The Amazon Agent That Got Hacked
One of the most alarming findings involved Amazon’s AI coding assistant. Users were warned to update immediately after researchers demonstrated how attackers could use poisoned GitHub Actions to hijack the agent and extract whatever secrets it had access to. The attack required minimal technical skill, making it accessible to a wide range of threat actors.
Security firm Endor Labs documented how the attack worked in practice. An attacker would submit a pull request containing a code review comment with an embedded prompt injection. When the AI agent processed that comment as part of its normal workflow, it would unknowingly relay sensitive information that should never have left the secure context it was operating within.
Why This Matters for Every Development Team
Here is the thing that makes this attack so dangerous: you do not have to be a hacker to exploit it. If your team uses AI coding assistants and someone sends a pull request with a cleverly crafted comment, your sensitive data could be gone before anyone notices. The attacker does not need to breach your systems. They just need to be clever with words.
Recent data from Dark Reading shows that AI-related cyberattacks increased by 340% in the first quarter of 2026. A substantial portion of those attacks targeted the new attack surface created by AI coding agents operating inside enterprise environments. Companies that deployed these agents without proper guardrails are now discovering that their intellectual property may have been walking out the door through conversations they did not even know were happening.
The Claude Code, Gemini CLI, and Copilot Problem
SecurityWeek reported that Anthropic-ai-assistant/">Claude Code, Gemini CLI, and GitHub Copilot agents were all found to be vulnerable to prompt injection via comments. The attack worked by exploiting the way these agents process context from multiple sources. When an agent sees a helpful comment in your code, it tends to treat the request as legitimate, which is exactly what attackers are counting on.
IBM researchers examined the OpenClaw framework and found that similar vulnerabilities affected over 245,000 publicly accessible AI agent servers. The scale of exposure was unprecedented. Most organizations had no idea their AI agents were communicating sensitive data to external parties until after the research was published.
The Statistics That Should Worry You
A recent study found that AI chatbots provide poor answers to medical questions approximately half the time, which demonstrates that AI systems are far from reliable even in controlled scenarios. If they cannot consistently provide accurate medical advice, what makes us think they can consistently protect your secrets?
More concerning, researchers discovered that 12,000 or more API keys and passwords were found in public datasets being used to train AI models. Those keys were essentially baked into the neural networks, meaning they could be extracted by anyone who knows how to prompt the right way. This is not a bug in a specific product. It is a fundamental vulnerability in how we are integrating AI into software development workflows.
- 28 million credentials leaked on GitHub in 2025 alone
- 340% increase in AI-related cyberattacks in Q1 2026
- 245,000+ publicly accessible AI agent servers affected by OpenClaw vulnerabilities
- 12,000+ API keys and passwords found in public AI training datasets
- AI agents provide incorrect information on medical queries roughly 50% of the time
What Companies Are Doing About It
Some organizations are now treating AI agents like human employees with access to sensitive systems. That means running background checks, limiting what they can see, and monitoring every interaction for signs of suspicious behavior. Others are implementing zero trust architectures that assume the AI agent will eventually be compromised and design their systems to contain the damage.
Palo Alto Networks introduced unified AI gateway solutions that monitor all AI agent traffic and enforce security policies at every layer. ServiceNow launched autonomous security and risk governance tools specifically designed to manage AI agent identities and the assets they can access. The message from the security community is clear: you cannot trust AI agents to protect themselves.
What You Can Do Right Now
If your team uses AI coding assistants, start by auditing what those agents have access to. Remove any secrets that do not need to be in your codebase, and implement monitoring to detect when sensitive data is being requested by AI tools. Treat every AI interaction as a potential attack vector, because right now, that is exactly what it is.
Consider implementing input validation for all prompts that reach your AI agents, especially when those prompts come from external sources like pull requests, comments, or user-generated content. Your AI agents should operate on a need-to-know basis, just like your employees.
The Bigger Picture
We are at an inflection point with AI in software development. The productivity gains are real, but so are the security risks. Every company that deployed AI coding agents without proper guardrails is now effectively operating with an unknown amount of sensitive data exposure. The industry is only beginning to understand the scope of the problem.
The good news is that security researchers are finding these vulnerabilities faster than attackers can exploit them. The bad news is that the attack surface is growing faster than the defenses. Until AI vendors bake security into their products by default, every company using these tools needs to treat them as both powerful productivity boosters and potential data exfiltration vectors.
The era of trusting AI agents with your codebase is over. The question now is whether companies will act before the next big breach makes headlines.
Stay ahead of the latest developments in AI tools and security by exploring our comprehensive guides at AIToolGate. Our team monitors emerging threats and opportunities in the AI space so you do not have to.
How I reviewed this
AI Tool Gate evaluates AI tools and AI industry updates from a developer/operator perspective. I look at practical use cases, product positioning, pricing signals, reliability concerns, and whether the tool is actually useful for real workflows.
- Use-case fit: who this is for and who should skip it.
- Practical value: what changes for developers, creators, teams, or businesses.
- Trust check: claims are compared against public product pages, announcements, docs, and observable market context when available.
Written by
Gallih Armadaw
Senior backend developer with 8+ years of experience building production systems across PHP/Laravel, Node.js, cloud infrastructure, Web3, and AI-assisted workflows. I review AI tools from a practical developer/operator perspective.