What happened

Invariant Labs disclosed an attack against the official GitHub MCP integration: an attacker files a malicious issue on a public repo containing hidden instructions. When a developer asks their agent to "check the open issues," the agent reads the issue and follows the embedded instructions — including reading and leaking content from private repositories the developer has access to.

The agent's authority is the developer's authority; the agent's permission boundary is whatever the GitHub OAuth token allows.