GitHub search is now an agent attack surface.
A public malware-finder repo lists 9,330 suspicious GitHub repositories detected through push-pattern heuristics. Even if only a slice is ever encountered by real users, the agent failure mode is obvious.
A coding agent asked to "find a library and make it work" can browse faster than it can judge provenance. Fresh commits, plausible README text, and repo-shaped packaging become inputs to an automated install path.
The fix is boring and product-level: repo-age checks, provenance scoring, blocked arbitrary ZIP downloads, sandboxed installs, dependency allowlists, and logs that show exactly what code the agent trusted.
For agent systems, retrieval belongs inside the security boundary.