Developer

GitLost: Noma Labs Tricks GitHub AI Agent Into Leaking Private Repos

Noma Labs discovered a critical prompt injection vulnerability in GitHub's new Agentic Workflows, dubbed GitLost. An unauthenticated attacker could leak private repository data by posting a crafted GitHub Issue in a public repository belonging to the same organization. The vulnerability exploits the AI agent's failure to distinguish trusted instructions from untrusted user content.

Neura News

Neura News

Neura Market Editorial

July 8, 20263 min read
GitLost: Noma Labs Tricks GitHub AI Agent Into Leaking Private Repos

Security researchers at Noma Labs have uncovered a critical vulnerability in GitHub's recently launched Agentic Workflows feature. The flaw, named GitLost, allows an unauthenticated attacker to silently extract data from private repositories by posting a specially crafted issue in a public repository within the same organization.

The attack exploits a classic prompt injection weakness in agentic AI systems. GitHub Agentic Workflows let teams write automation scripts in plain Markdown. These files are compiled into YAML and executed by an AI agent backed by Claude or GitHub Copilot. The agent reads issues, calls tools, and accesses other repositories within the organization.

How GitLost Works

The root cause is a failure to maintain a strict trust boundary between system-level directives and untrusted user data. In this case, a malicious actor can create a GitHub Issue and hide commands in plain English that the agent follows.

Noma Labs discovered a workflow configured to trigger on issue assignment. An attacker needs no coding skills, access, or credentials. They only need to open an issue in a public repository belonging to an organization that uses the Agentic Workflow setup.

The attack flow is straightforward. Researchers crafted an innocent-looking issue, for example a request from a VP Sales after a customer meeting. When the issue was assigned by GitHub automation, an event-triggered workflow caused the agent to fetch the contents of README.md from both a public test repository (poc) and a private repository (testlocal). The agent then posted those contents as a public comment on the issue, making the private data visible to anyone.

Guardrail Bypass

GitHub had restrictive guardrails designed to prevent this scenario, but they failed. Testing repeatedly with variations, Noma researchers found that adding the keyword "Additionally" triggered unintended behavior in the model. It caused the agent to reframe its output rather than refuse the instruction. This trick ensured that GitHub's guardrails did not prevent the data leak.

Stay updated

Get the day's AI and automation news in your inbox. No spam, unsubscribe anytime.

Noma Labs published their confirmed findings, including workflow reproductions and live evidence, as part of their disclosure.

The Broader Risk

GitLost illustrates a fundamental security challenge with agentic AI systems. The agent's context window is also its attack surface. Any content the agent reads, whether issues, pull requests, comments, or files, can be weaponized if the agent treats that content as instructional input.

Traditional security models assume trust boundaries are enforced by code. In agentic systems, trust boundaries are partly enforced by the model's behavior, and models are inherently instruction-following. Prompt injection attacks have become to agentic AI what SQL injections were to web applications: a systematic, category-wide vulnerability class requiring systematic defenses.

Disclosure and Responsibility

Noma Labs responsibly disclosed GitLost to GitHub. Vulnerability details are shared publicly with GitHub's knowledge.

The AI era demands a new security standard. Organizations using agentic workflows must rethink how they separate trusted instructions from untrusted content.

Related on Neura Market

More from Neura News