The entire attack loop runs within GitHub itself: an attacker writes a malicious PR title or issue comment, the AI agent reads and processes it as trusted context, executes attacker-supplied instructions, and exfiltrates credentials back through a PR comment, issue comment, or git commit, no external server required.

, which is reactive and requires a victim to explicitly ask the AI to process a document, Comment and Control is proactive: GitHub Actions workflows auto-trigger on 

 events, meaning simply opening a PR or filing an issue can activate the agent without any victim interaction.

security

> The entire attack loop runs within GitHub itself: an attacker writes a malicious PR title or issue comment, the AI agent reads and processes it as trusted context, executes attacker-supplied instructions, and exfiltrates credentials back through a PR comment, issue comment, or git commit, no external server required.

> Unlike classic [indirect prompt injection](https://cybersecuritynews.com/hackers-can-use-indirect-prompt-injection-allows-adversaries/), which is reactive and requires a victim to explicitly ask the AI to process a document, Comment and Control is proactive: GitHub Actions workflows auto-trigger on `pull_request`, `issues`, and `issue_comment` events, meaning simply opening a PR or filing an issue can activate the agent without any victim interaction.