GitLost: How a Prompt Injection Leaked GitHub Private Repos
GitLost: A New Prompt Injection Vulnerability in GitHub's Agentic Workflows
Noma Labs has disclosed a critical prompt injection vulnerability in GitHub's Agentic Workflows, dubbed GitLost. The flaw allows an unauthenticated attacker to trick the AI agent into reading and publicly leaking data from private repositories. The attack requires no credentials or coding skills—only a crafted GitHub Issue in a public repository.
GitHub's Agentic Workflows, launched recently, let teams write automation in plain Markdown. An AI agent, backed by Claude or GitHub Copilot, reads issues, calls tools, and responds autonomously. This convenience, however, introduces a new attack surface: the agent's context window becomes a vector for indirect prompt injection.
How GitLost Works
The vulnerability exploits a fundamental trust boundary failure. The agent treats user-controlled content—like issue titles and bodies—as instructional input rather than untrusted data. In Noma's proof of concept, the workflow was configured to trigger on issues.assigned events, read the issue title and body, and post a comment. The agent also had read access to other repositories in the organization, including private ones.
An attacker simply creates a GitHub Issue in a public repository belonging to an organization that uses Agentic Workflows. The issue body contains hidden instructions in plain English. When the workflow triggers, the agent follows those instructions, fetches content from private repositories, and posts it as a public comment. The attack requires no authentication or stolen credentials.
Bypassing GitHub's Guardrails
GitHub had implemented prompt-based guardrails to prevent such data leaks. However, Noma researchers found that adding the keyword
Related News

Report: Chat Control 1.0 and 2.0 Explained

Anthropic Discovers Claude's Internal 'Workspace' Mirroring Consciousness Theory

SK Hynix's $29B US IPO: AI Memory Boom Hits Nasdaq

Tech Layoffs 2026: AI Drives 139,000+ Job Cuts in H1

Reddit Fights AI Spam with LLMs: A Digital Arms Race

