GitHub AI Agent Flaw Exposes Private Repositories
A prompt injection vulnerability in GitHub's Agentic Workflows allows attackers to exfiltrate data from private repositories via public issues.

Researchers have uncovered a critical vulnerability in GitHub's Agentic Workflows, a feature that leverages AI agents to automate development tasks. The flaw, dubbed GitLost by Noma Security researchers, could allow attackers to expose sensitive data from private repositories by tricking the AI agent into posting it in a public GitHub issue.
The attack exploits a technique known as indirect prompt injection. In this scenario, an attacker crafts a seemingly innocuous request within a public repository. If the AI agent has been granted read access to private repositories within the same organization, it can be manipulated into retrieving confidential information and then publishing it as a public comment on the issue. This bypasses traditional security measures that would prevent direct access to private data.
Crucially, the GitLost attack requires no prior access, stolen credentials, or coding expertise from the attacker. The exploit relies solely on the AI agent's interpretation of malicious instructions embedded within untrusted content. Researchers demonstrated this by submitting a standard support request to a public repository. The AI agent, upon processing the request, accessed a private repository, extracted its README file, and then posted the contents publicly, revealing sensitive project details.
Noma Security's findings also indicate that GitHub's existing threat detection guardrails can be circumvented with minor alterations to the malicious prompt. Instead of refusing the harmful request, the AI model can be prompted to reframe the query, thereby bypassing security checks and proceeding with the data exfiltration.
This vulnerability poses a significant risk to organizations utilizing GitHub's AI agent features, especially those with access to sensitive intellectual property or proprietary code stored in private repositories. The ease of exploitation and the potential for widespread data exposure necessitate immediate attention from developers and security teams.
In response to these findings, organizations are advised to review the permissions granted to their AI agents and to implement stricter access controls. While GitHub's Agentic Workflows are still in public preview, this incident highlights the evolving threat landscape surrounding AI-powered development tools and the need for robust security measures to protect sensitive code and data.
The discovery underscores a broader trend of security challenges emerging with the integration of AI into software development workflows. As AI agents become more sophisticated and integrated into critical systems, understanding and mitigating novel attack vectors like prompt injection will be paramount to maintaining secure development environments.