Security researchers at Noma Labs have uncovered a critical vulnerability in GitHub's recently launched Agentic Workflows feature. The flaw, named GitLost, allows an unauthenticated attacker to silently extract data from private repositories by posting a specially crafted issue in a public repository within the same organization.
The attack exploits a classic prompt injection weakness in agentic AI systems. GitHub Agentic Workflows let teams write automation scripts in plain Markdown. These files are compiled into YAML and executed by an AI agent backed by Claude or GitHub Copilot. The agent reads issues, calls tools, and accesses other repositories within the organization.
How GitLost Works
The root cause is a failure to maintain a strict trust boundary between system-level directives and untrusted user data. In this case, a malicious actor can create a GitHub Issue and hide commands in plain English that the agent follows.
Noma Labs discovered a workflow configured to trigger on issue assignment. An attacker needs no coding skills, access, or credentials. They only need to open an issue in a public repository belonging to an organization that uses the Agentic Workflow setup.
The attack flow is straightforward. Researchers crafted an innocent-looking issue, for example a request from a VP Sales after a customer meeting. When the issue was assigned by GitHub automation, an event-triggered workflow caused the agent to fetch the contents of README.md from both a public test repository (poc) and a private repository (testlocal). The agent then posted those contents as a public comment on the issue, making the private data visible to anyone.
Guardrail Bypass
GitHub had restrictive guardrails designed to prevent this scenario, but they failed. Testing repeatedly with variations, Noma researchers found that adding the keyword "Additionally" triggered unintended behavior in the model. It caused the agent to reframe its output rather than refuse the instruction. This trick ensured that GitHub's guardrails did not prevent the data leak.
Stay updated
Get the day's AI and automation news in your inbox. No spam, unsubscribe anytime.
Noma Labs published their confirmed findings, including workflow reproductions and live evidence, as part of their disclosure.
The Broader Risk
GitLost illustrates a fundamental security challenge with agentic AI systems. The agent's context window is also its attack surface. Any content the agent reads, whether issues, pull requests, comments, or files, can be weaponized if the agent treats that content as instructional input.
Traditional security models assume trust boundaries are enforced by code. In agentic systems, trust boundaries are partly enforced by the model's behavior, and models are inherently instruction-following. Prompt injection attacks have become to agentic AI what SQL injections were to web applications: a systematic, category-wide vulnerability class requiring systematic defenses.
Disclosure and Responsibility
Noma Labs responsibly disclosed GitLost to GitHub. Vulnerability details are shared publicly with GitHub's knowledge.
The AI era demands a new security standard. Organizations using agentic workflows must rethink how they separate trusted instructions from untrusted content.
Related on Neura Market
- AI Tools Directory, Browse the latest AI-powered development and security tools.
- Automation Marketplace, Explore workflows and automation solutions for developers.
- Security Platform, Find security solutions for AI and agentic systems.

