HackRead

GitLost: GitHub’s AI Agent Tricked Into Leaking Private Repository Data


Noma Security’s research team, Noma Labs, has disclosed a critical prompt injection vulnerability in GitHub’s new Agentic Workflows. The vulnerability, named GitLost, allowed researchers to trick GitHub’s AI agent into retrieving data from a private repository and posting it publicly by submitting a crafted issue in a public repository belonging to the same organization.

GitHub recently launched Agentic Workflows, a system that pairs GitHub Actions with an AI agent running on Claude or GitHub Copilot. It lets teams define workflows in Markdown, which GitHub converts into GitHub Actions workflows. The agent reads issues, calls tools, and responds on its own as part of normal operation.

The Vulnerability

The vulnerability comes down to prompt injection, where an attacker hides malicious instructions inside content that an AI agent reads. The agent then follows those hidden instructions instead of the ones its operator wrote. With GitLost, the malicious commands were placed in plain English inside the body of a GitHub issue.

According to Noma Labs’ blog post shared with Hackread.com ahead of publishing on Tuesday, the workflow that the company tested triggered the agent to read the Title and Body as instructed. In Noma Labs’ test configuration, the agent had permission to access other repositories within the organization, including one that was private. The agent then posted that content as a public comment on the original issue, making it visible to anyone who viewed the page.

How the attack worked

Noma Labs created a GitHub issue that looked like a routine request from a VP of Sales following a customer meeting. Once a GitHub automation assigned the issue, the event-triggered workflow ran, and the agent fetched the contents of README.md from three repositories:

  • sasinomalabs/poc (public repo)
  • sasinomalabs/testlocal (private repo)
  • sasinomalabs/remote-ping (public repo, no README confirmed)

The attacker needed no coding skills, credentials, or access. They only needed to submit the issue and wait for the workflow to execute.

Bypassing GitHub’s guardrails

GitHub had restrictions in place designed to prevent this exact scenario, and at first they held. During testing, Noma Labs found that adding the word “Additionally” caused the model to reframe its response rather than refuse the request, demonstrating that GitHub’s prompt-based guardrails could be bypassed under those conditions.

Noma Labs published its reproductions and live evidence, including the workflow run and the issue used in testing.

Disclosure

Noma Labs disclosed the vulnerability to GitHub through a responsible disclosure process, and GitHub knew the findings before they were published. The proof of concept material, including the workflow run and the original test issue, has been made public for review.

Expert Insight

Ram Varadarajan, CEO at Acalvio, a Santa Clara, California-based cyber deception firm, said the finding points to a change in how security must work. “Noma Labs has exposed a critical flaw in GitLost, proving that a single, well-placed keyword in a public GitHub issue can trick an AI agent into silently bleeding an organization’s private repository data onto the open web,” he said.

He recommended that security teams revoke broad cross-repository permissions and treat all user-generated content as hostile input. Varadarajan added that AI agents are an expanding attack surface that requires multi-layered, model-aware defenses operating in real time, calling it “the new era of bot-on-bot cyber-defense.”

Recommendations

Noma Labs advises organizations building on these tools to never treat user-controlled content as trusted instruction input, to scope permissions to the minimum required, to limit what any agent can post publicly, and to separate user input from the instruction context before it reaches the model. The team notes that agents with cross-repository access are high-value targets.





Source link