YOU ARE VIEWING ONE ITEM FROM THE AICRIER FEED

Noma Labs has exposed a critical prompt injection vulnerability in GitHub’s Agentic Workflows, dubbed GitLost, that allows unauthenticated attackers to silently extract private repository data.

AICrier tracks AI developer news across Product Hunt, GitHub, Hacker News, YouTube, X, arXiv, and more. This page keeps the article you opened front and center while giving you a path into the live feed.

// WHAT AICRIER DOES

7+

TRACKED FEEDS

24/7

SCRAPED FEED

Short summaries, external links, screenshots, relevance scoring, tags, and featured picks for AI builders.

Noma Labs has exposed a critical prompt injection vulnerability in GitHub’s Agentic Workflows, dubbed GitLost, that allows unauthenticated attackers to silently extract private repository data.
OPEN LINK ↗
// 2h agoSECURITY INCIDENT

Noma Labs has exposed a critical prompt injection vulnerability in GitHub’s Agentic Workflows, dubbed GitLost, that allows unauthenticated attackers to silently extract private repository data.

Noma Labs discovered a prompt injection vulnerability in GitHub's newly launched Agentic Workflows, named GitLost, which allows an unauthenticated attacker to silently pull private repository data by posting a crafted GitHub issue in a public repository belonging to the same organization. By exploiting agent workflows configured to trigger on issue events (like assignment), attackers can instruct the underlying AI agent to fetch files from private repositories and post them as public comments. Despite existing guardrails, researchers found that adding the keyword "Additionally" to their injected prompts caused the model to reframe its output and bypass restrictions, highlighting the fragility of relying on model behavior to enforce security boundaries.

// ANALYSIS

AI agents with cross-repository access create a massive security posture risk if user input is not completely isolated from instruction prompts.

* The agent's context window is its attack surface; treating untrusted issues and PRs as instructions represents a fundamental design flaw.

* Linguistic reframing techniques (such as injecting "Additionally") easily circumvent existing safety guardrails, showing that prompt-based enforcement is inherently brittle.

* Least-privilege access must be strictly applied to AI agent permissions, especially restricting their ability to post public comments containing data retrieved from private boundaries.

// TAGS
gitlostgithubsecurityvulnerabilityagentic-workflowssecurity-incident

DISCOVERED

2h ago

2026-07-08

PUBLISHED

5h ago

2026-07-08

RELEVANCE

9/ 10

AUTHOR

ColinEberhardt