GitLost Vulnerability Tricks GitHub’s AI Agent into Leaking Private Repos

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly disclosed vulnerability dubbed “GitLost” shows how attackers can weaponize a single GitHub Issue to trick GitHub’s new AI-powered Agentic Workflows into leaking private repository contents to the public internet, with no credentials, coding skills, or system access required.

GitHub Agentic Workflows pair GitHub Actions with an AI agent backed by Claude or GitHub Copilot, letting teams write automation in plain Markdown that compiles into YAML Actions files.

These agents can read issues, call tools, post comments, and access other repositories within an organization based on configurable permissions, all without a human reviewing every action

The vulnerability stems from a classic indirect prompt-injection flaw. The vulnerable workflow Noma Labs identified was configured to trigger on issues.assigned events, read the issue title and body, respond via an add-comment tool, and operate with read access across both public and private repositories in the organization.

GitLost Vulnerability Workflow (Source: Noma Labs)

Because the agent failed to distinguish trusted system instructions from untrusted user-supplied content, any attacker could embed plain-English commands inside an issue body and have the agent execute them as directives.

Noma Labs crafted an innocuous-looking issue mimicking a request from a “VP of Sales” following a customer meeting. Once the issue was assigned, triggering the workflow, the agent fetched README.md contents from both a public repo (poc) and a private repo (testlocal) and posted the combined output as a public comment, visible to anyone.

Notably, the researchers found that adding the word “Additionally” to injected prompts bypassed GitHub’s existing guardrails, reframing the model’s output rather than triggering a refusal. This subtle linguistic trick proved sufficient to defeat safety mechanisms designed to prevent exactly this kind of leak.

Noma Labs details, including a workflow run and the triggering issue. Leaked data included README contents from sasinomalabs/poc (public), sasinomalabs/remote-ping (public), and critically, sasinomalabs/testlocal (private).

GitLost (Source: Noma Labs)

GitLost underscores a structural weakness in agentic AI systems: the model’s context window doubles as its attack surface. Any content an agent ingests, issues, pull requests, comments, files, can be weaponized if the agent treats it as instructional rather than data.

Traditional software security assumes trust boundaries are enforced in code; agentic systems instead rely on model behavior, and instruction-following models are inherently exploitable this way.

Researchers increasingly compare prompt injection’s role in AI security to SQL injection’s role in web application security: a systemic, category-wide vulnerability class demanding equally systemic defenses.

  • Never treat user-controlled content as trusted instruction input
  • Scope agent permissions to the minimum necessary, especially for cross-repository access
  • Restrict what agents can post publicly in response to issue content
  • Sanitize or isolate user input from instruction context before model processing

Noma Labs disclosed the GitLost vulnerability to GitHub through a responsible disclosure process.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide