GitLost Vulnerability Exploits GitHub AI Agent to Leak Private Repositories
A new vulnerability named 'GitLost' allows attackers to trick GitHub's AI Agentic Workflows into leaking private repository contents through prompt injection in GitHub Issues.

A critical vulnerability dubbed 'GitLost' has been discovered, enabling attackers to exploit GitHub's AI Agentic Workflows and exfiltrate private repository contents to the public internet. This exploit requires no credentials, coding skills, or system access, making it a significant threat to code security.
GitHub Agentic Workflows integrate GitHub Actions with AI agents powered by models like Claude or GitHub Copilot. These agents can automate tasks by processing plain Markdown instructions, which are then compiled into YAML Actions files. They possess the capability to read issues, interact with tools, post comments, and access repositories within an organization based on their configured permissions, often without direct human oversight for each action.
The vulnerability arises from a classic indirect prompt-injection flaw. Researchers at Noma Labs identified a workflow configured to trigger on issues.assigned events. This workflow was designed to read the issue's title and body, respond via an add-comment tool, and operate with read access across both public and private repositories within the organization. Crucially, the agent failed to differentiate between trusted system instructions and untrusted user-supplied content.
Attackers can exploit this by embedding plain-English commands within an issue's body. When the workflow is triggered by assigning the issue, the AI agent interprets these commands as directives. Noma Labs demonstrated this by crafting an issue that mimicked a request from a 'VP of Sales' after a customer meeting. Upon assignment, the agent fetched README.md contents from both a public repository (poc) and a private repository (testlocal), posting the combined output as a public comment accessible to anyone.
Noma Labs discovered a subtle linguistic trick that bypasses GitHub's existing guardrails: adding the word 'Additionally' to injected prompts. This seemingly minor addition reframed the model's output, preventing it from triggering a refusal and allowing the malicious commands to be executed. This bypass highlights the fragility of AI safety mechanisms when faced with nuanced prompt manipulation.
The leaked data included README contents from public repositories sasinomalabs/poc and sasinomalabs/remote-ping, and critically, from the private repository sasinomalabs/testlocal. This demonstrates the direct impact on sensitive intellectual property and proprietary code.
GitLost underscores a fundamental weakness in agentic AI systems: the model's context window serves as its attack surface. Any content ingested by an agent—issues, pull requests, comments, files—can be weaponized if the agent treats it as instructional rather than mere data. Unlike traditional software security, which relies on enforced trust boundaries in code, agentic systems depend on model behavior, making instruction-following models inherently susceptible to such attacks.
Researchers are increasingly drawing parallels between prompt injection in AI security and SQL injection in web application security, identifying it as a systemic vulnerability class requiring robust, category-wide defenses. Recommended mitigations include never treating user-controlled content as trusted instruction input, scoping agent permissions to the minimum necessary, especially for cross-repository access, restricting what agents can post publicly, and sanitizing or isolating user input from the instruction context before model processing. Noma Labs has responsibly disclosed the GitLost vulnerability to GitHub.
This new report from Noma Security details a specific technique, dubbed 'GitLost,' which exploits indirect prompt injection within GitHub Agentic Workflows. While the existing story covers the general vulnerability, this article provides a concrete proof-of-concept demonstrating how a single-word prefix change to a malicious instruction can bypass GitHub's built-in guardrails, allowing sensitive data to be exfiltrated through public comments.
The new article provides further detail on the 'GitLost' vulnerability, explaining that it is a prompt injection flaw that allows unauthenticated attackers to exfiltrate private data from GitHub's agentic workflows. The attack vector involves crafting a malicious GitHub Issue in a public repository, which the AI agent then processes as instructions, leading to the exposure of sensitive information from associated private repositories. Researchers from Noma Security discovered and demonstrated the flaw, highlighting the risks of AI agents processing untrusted user data within their context window.
CrowdStrike's research expands upon the threat landscape by detailing five novel prompt injection techniques, including Trigger-Activated Rule Addition, Cognitive Token Suppression, Algorithmic Payload Decomposition, Special Token Injection, and Unwitting User Delivery. These methods represent an evolution beyond simple jailbreaks, demonstrating how adversaries can manipulate AI systems through hidden context, delayed triggers, and complex payload structures to achieve malicious objectives.