GitLost Prompt Injection Leaks Private GitHub Repos via Public Issues

Noma Security's GitLost technique tricks GitHub Agentic Workflows into leaking private repository contents via public issue comments, with no patch available.
Table of Contents
    Add a header to begin generating the table of contents

    Noma Security disclosed a technique called GitLost on July 7 that allows an unauthenticated attacker to cause GitHub Agentic Workflows to exfiltrate private repository contents into publicly visible issue comments — requiring no credentials, no special access, and no software patch that can close the structural flaw.

    How GitLost Turns a Public GitHub Issue Into a Data Exfiltration Channel

    GitHub Agentic Workflows — a feature in public preview since February 2026 — allow organizations to automate repository tasks using an AI agent with delegated access to repository resources. GitLost exploits the gap between what that agent can access (private repositories) and what can instruct it (public issues opened by anyone on the internet).

    The attack is an indirect prompt injection. The attacker opens a public issue on a target repository where GitHub Agentic Workflows are active. If the organization has granted its AI agent read access to private repositories, malicious instructions embedded in the public issue can redirect the agent to pull private repository contents and post them in a public comment on that same issue — effectively converting proprietary code, internal configuration files, CI/CD secrets, or API keys into publicly readable content, depending on the scope of the agent’s access token.

    In Noma’s proof-of-concept, the malicious issue was written to resemble a routine request from a senior employee. Once standard automation assigned the issue to the agent, the agent pulled a private repository’s README and pasted it verbatim into a public comment.

    How the Word “Additionally” Defeated GitHub’s Prompt Injection Guardrails

    Noma found that GitHub’s existing guardrails against prompt injection could be bypassed with a single-word change. Prefixing the malicious instruction with the word “Additionally” led the model to interpret the attacker’s directive as a follow-on task rather than a suspicious override. The guardrail passed it through without triggering. The bypass required no sophisticated obfuscation — a single semantic signal that the instruction was additive rather than directive was enough to route it past the filter.

    This points to a fundamental challenge in language model guardrail design: filters that operate on the apparent intent of a phrase can be defeated by framing that alters that apparent intent without changing the underlying action being requested.

    Why No Software Patch Closes the GitLost Vulnerability

    GitLost is not a traditional exploitable bug that a vendor can address with a targeted code fix. The underlying issue is structural: GitHub Agentic Workflows grant persistent credentials to private repositories while exposing the agent to adversary-controlled input through public issues. Any organization that combines broad agent repository access with public-issue-triggered workflows faces this exposure, regardless of guardrail updates.

    Noma’s recommended mitigations require architectural changes rather than patches: restrict agent permissions to only the private repositories that automation genuinely requires, avoid workflows where public issue input can trigger agent actions on private resources, and implement human-in-the-loop confirmation requirements for any agent action that reads or publishes sensitive content. Organizations already using the feature should audit the scope of repository permissions granted to their agents and evaluate whether any existing public-facing workflows create an input path from untrusted sources into agent-controlled private repository actions.

    AI Agents With Broad Repository Permissions Are an Emerging Insider Threat Vector

    GitLost illustrates a risk category that grows proportionally with agentic workflow adoption. An AI agent with broad repository permissions functions as an automated insider — one with persistent access to private code, secrets, and configuration data. The attack surface for that insider is any content the agent acts on, which in public repositories includes issues opened by anyone, comments, pull request descriptions, and any other contributor-accessible input channel.

    The structural nature of the flaw means that organizations cannot rely on a platform patch to resolve the exposure. Noma’s coordinated disclosure with GitHub resulted in publication on July 7. GitHub Agentic Workflows remain in public preview, and organizations that have deployed them with wide repository access now face a category of adversarial input — crafted public issues designed to redirect agent behavior — that existing application security tooling was not built to detect. The GitLost disclosure arrives at a moment when enterprise adoption of agentic AI tools is accelerating, and the research makes clear that agent permission scope is not merely a convenience setting but a direct determinant of the blast radius if the agent is successfully redirected.

    Related Posts