MCP Horror Stories: The GitHub Prompt Injection Data Heist

Hackers executed a sophisticated attack in May 2025 where malicious GitHub issues contained hidden instructions that caused AI assistants to steal sensitive data from private repositories. When developers innocently asked their AI to "check open issues," the AI would read the malicious content, become prompt-injected, and use broad GitHub access tokens to extract salary information and confidential business data from private repositories. Docker MCP Gateway prevents this attack through interceptors that enforce "one repository per conversation" rules.