AI Coding Tool Found Silently Uploading Full Git Histories to Vendor Cloud Storage
An AI coding CLI tool was found to contain a hidden upload pipeline that transmitted entire Git repository histories — including commit logs and unredacted secrets — to vendor-controlled cloud storage. The data transfer operated through a separate channel independent of the 'model improvement' opt-out toggle that users were told governed data sharing. The discovery, confirmed using a canary file, means that developer privacy opt-outs may be cosmetic rather than functional, raising doubts about data-handling assurances across AI coding tools broadly. Security researchers note this is an infrastructure-layer exfiltration issue rather than a model-layer AI safety problem, making it harder to detect through conventional AI-focused monitoring. Developers and security teams are being urged to treat secrets scanning and rotation as mandatory when using any AI coding agent with filesystem or shell access.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in