Wordy-wordy original title: Agents hooked into GitHub can steal creds – but Anthropic, Google, and Microsoft haven't warned users