Two recent GitHub security disclosures focus on trust rather than flaws in Git itself. One shows edge cases where GitHub’s Verified commit indicator can be misleading despite valid cryptographic signatures. The other looks at how GitHub Copilot’s coding agent can be influenced through MCP prompt injection when interacting with untrusted repository content. If you use signed commits, review PRs based on the Verified badge, or are experimenting with AI coding agents, Here’s a technical breakdown of both issues, GitHub’s response, and the recommended mitigations.