Comment and Control: One PR Title Made Three AI Coding Agents Leak Their Own Keys

A researcher typed a malicious instruction into a GitHub PR title. Claude Code, Gemini CLI, and Copilot Agent each read it, obeyed it, and posted their own API keys back as PR comments. No external infrastructure required — GitHub itself became the C2 channel.