GitLost Vulnerability Tricks GitHub AI Workflows Into Leaking Private Repository Data

3 Sources

Share

Security researchers at Noma Security discovered GitLost, a prompt injection flaw in GitHub Agentic Workflows that allows attackers to exfiltrate data from private code repositories using nothing but a carefully worded public issue. The vulnerability exploits AI agents with cross-repo access, bypassing GitHub's guardrails with a single word and requiring no stolen credentials or special access.

Noma Security Exposes Critical Flaw in GitHub's AI Agent

Researchers at Noma Security have uncovered the GitLost vulnerability, a critical security flaw in GitHub Agentic Workflows that allows attackers to trick AI agents into leaking private repository data through public comments

1

. The attack requires no stolen credentials, no special access to the organization, and no coding expertise—just a normal-looking public GitHub issue

2

.

GitHub Agentic Workflows, launched in February and currently in public preview, lets organizations automate repository tasks by writing instructions to an AI agent in plain English within Markdown files

1

. These workflows can be powered by GitHub Copilot, Anthropic's Claude, Google Gemini, or OpenAI Codex. While workflows are read-only by default, organizations often grant agents tokens with read access across multiple repositories, including private ones, to provide cross-repo context—a permission that GitLost exploits

1

.

How Attackers Exploit Indirect Prompt Injection

Source: Hacker News

Source: Hacker News

The GitLost vulnerability leverages indirect prompt injection, a well-documented weakness where AI agents cannot reliably distinguish between legitimate instructions from their owners and malicious commands hidden within content they read

1

. In Noma's proof of concept, attackers crafted a malicious issue disguised as a routine request from a VP of Sales following a customer meeting

1

.

Once GitHub's automation assigned the issue to the workflow, the AI agent fetched README files from both public and private repositories and pasted them into a public comment visible to anyone on the internet

3

. "All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub's Agentic Workflow setup and wait," Sasi Levi, Security Research Lead at Noma Security, told The Register

2

.

Bypassed Guardrails With a Single Word

GitHub built multiple guardrails specifically to prevent this AI-related security threat, including sandboxing, read-only tokens by default, input cleaning, and threat-detection steps that scan an agent's proposed output before posting

1

. The company's documentation explicitly warns that "AI agents can be manipulated by prompt injection, malicious repository content, or compromised tools"

1

.

Yet Noma discovered these protections could be defeated with minimal effort. Adding the word "Additionally" to the injected instructions caused the model to reframe its output rather than refuse the request, quietly bypassing the guardrails

3

. This technique mirrors Noma's earlier "GrafanaGhost" research from April, where specific keywords similarly tricked models into processing malicious instructions they should have blocked

3

.

What Makes GitLost Different From Previous Attacks

While prompt injection attacks on AI systems aren't new, GitLost stands apart because of what attackers can control. "Earlier prompt injection examples were largely about manipulating what an agent said," Levi explained to The Hacker News. "GitLost is about manipulating what an agent does with its permissions"

1

.

Source: SiliconANGLE

Source: SiliconANGLE

The vulnerability in GitHub's AI agent creates what developer Simon Willison termed the "lethal trifecta": an AI agent that can access private data, processes untrusted input from outside sources, and possesses a mechanism to transmit data externally

1

. The agent operates as a credentialed actor within an organization's CI/CD-adjacent infrastructure with read access spanning repositories the attacker cannot see, requiring no server access and no write permissions to exfiltrate data from private code repositories

1

.

A Pattern Emerging Across Agentic AI Systems

GitHub AI agent leaks private repos through GitLost, but this represents just the latest in a series of similar attacks targeting agentic AI systems

1

. A flaw in Anthropic's Claude Code GitHub Action previously allowed a single malicious issue to push agents into leaking secrets and seizing write access. Orca Security's RoguePilot used hidden prompts in GitHub issues to make Copilot leak privileged repository tokens

1

.

The problem traces back to at least May 2025, when Invariant Labs demonstrated that a public issue could push an agent connected to GitHub's MCP server into reading and leaking a private repo through a pull request—researchers labeled it architectural with no server-side patch available

1

. A subsequent cross-vendor study called "Comment and Control" tricked Claude Code, Gemini CLI, and GitHub Copilot agents into leaking their own API keys through issue and pull-request text

1

.

Noma Security argues that prompt injection has become to agentic AI what SQL injection was to early web applications: a systematic vulnerability class demanding systematic defenses, not isolated patches

3

.

No Code Fix Available

This isn't the type of bug a patch can close. Levi frames the GitLost vulnerability as a structural consequence of giving AI agents standing credentials while having them process untrusted input from attacker-reachable text

1

. "Prompt injection like this resists a code patch, a problem now familiar across agentic AI," researchers noted

2

.

Noma proposed a simple documentation note warning teams about sharing keys between repos, but GitHub has not added it

2

. The company did not respond to media inquiries, though it was aware Noma planned to publish the findings

2

. "An autonomous agent should not be a risk for silent data exfiltration and secrets exposure," Levi stated. "You can't protect what you can't see and control"

2

.

What Organizations Should Watch For

Exposure remains limited to organizations that have enabled the GitHub Agentic Workflows preview and configured agents to read untrusted public input while holding read access to private repositories with the ability to post publicly

1

. What attackers could extract depends entirely on what the agent's token can access, ranging from proprietary source code to internal documentation

1

.

Mariano Fuentes, co-founder of compliance automation startup Comp AI, emphasized the severity: "It is becoming a bigger issue now because, if you don't properly limit its tools and capabilities, it can rapidly execute instructions from a malicious party without you ever knowing. The attacker can prompt the LLM to not verbally acknowledge what it's going to do and therefore it silently executes the instructions without the victim ever knowing"

3

.

Noma recommended that builders never treat user-controlled content as trusted instruction input, scope agent permissions to minimum requirements, restrict what agents can post publicly, and isolate user input from instruction context before it reaches the model

3

. Fuentes added that companies "should always question if it's necessary that the LLM make that call for them" and require human verification for sensitive actions

3

.

The structural nature of leaking private repository data through prompt injection means developers must fundamentally rethink how they architect agentic systems that handle both private data and public input. Until the trust boundary between instructions and data gets resolved at the architectural level, AI agents will continue responding to hidden commands embedded in the content they read.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved