CourionAI Newsletter
← All news
security 2 min read

GitLost: Researchers Tricked GitHub's AI Agent into Leaking Private Code

A crafted GitHub Issue was enough to make GitHub's new AI workflow agent hand over data from private repositories — a textbook prompt injection, now fixed.

Risograph illustration of a robot reading a pinned note whose hidden puppet strings steer its arm to pass a locked folder through a fence

Security researchers at Noma Labs found a critical vulnerability in GitHub’s new Agentic Workflows that let an attacker silently pull data out of private code repositories — just by posting a specially crafted Issue in a public repository belonging to the same organization. They named the flaw GitLost, disclosed it responsibly to GitHub, and published the details with GitHub’s knowledge.

Some quick translation. GitHub Agentic Workflows pair GitHub Actions — GitHub’s automation system that runs tasks when something happens in a repository — with an AI agent backed by Claude or GitHub Copilot. Teams describe what they want in plain Markdown, and the agent reads issues, calls tools, and responds on its own. An “Issue” is simply a public comment thread where anyone can report bugs or make requests. That “anyone” is exactly where the trouble starts.

The attack is what security folks call indirect prompt injection: hiding malicious instructions inside content an AI agent will later read. The agent can’t reliably tell the difference between “instructions from my operator” and “text I happened to read in an issue” — so it can end up following the attacker’s orders. In this case, an unauthenticated stranger’s issue could steer an agent that had access to the organization’s private repositories, and the agent would quietly exfiltrate data. No password cracked, no server breached. The agent was simply too trusting.

What’s behind this is bigger than one bug. Noma’s researchers draw a pointed comparison: prompt injection is becoming for AI agents what SQL injection was for web applications — not a one-off mistake but a systematic, category-wide weakness that needs systematic defenses. As long as agents are instruction-following by nature and read content that strangers can write, this class of attack will keep resurfacing. Noma’s recommendations for builders are worth quoting: never treat user-controlled content as trusted instructions, give agents the minimum permissions they need, and restrict what agents can post publicly.

What this means for you: If you just use AI chatbots, you’re not affected — this concerns AI agents wired into real systems with real permissions. If you or your team use agentic workflows anywhere (GitHub or otherwise), the lesson is transferable: an agent is only as safe as the least trustworthy text it reads. Check what your agents can access, and assume anything a stranger can write — issues, emails, form fields — might be an attack. The specific GitLost flaw has been addressed, but the pattern behind it hasn’t gone anywhere.

Sources

Source: https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/

Next story

OpenAI's GPT-5.6 Models Launch Publicly This Thursday

After weeks of restricted access, OpenAI's GPT-5.6 Sol, Terra, and Luna go public on Thursday — with benchmark wins over Claude Mythos 5 and notably lower prices.

Risograph illustration of a radiant sun, small planet and crescent moon rising together over an open starting gate