https://dorklist.com/blog Breach breakdowns, dork playbooks, and hunter spotlights from the Dorklist team. en-us Mon, 04 May 2026 00:00:00 GMT https://dorklist.com/blog/comment-and-control-ai-agents-leaked-secrets https://dorklist.com/blog/comment-and-control-ai-agents-leaked-secrets Mon, 04 May 2026 00:00:00 GMT A researcher typed a malicious instruction into a GitHub PR title. Claude Code, Gemini CLI, and Copilot Agent each read it, obeyed it, and posted their own API keys back as PR comments. No external infrastructure required — GitHub itself became the C2 channel. Breach Breakdowns