Noma Labs has exposed a critical prompt injection vulnerability in GitHub’s Agentic Workflows, dubbed GitLost, that allows unauthenticated attackers to silently extract private repository data.
Noma Labs discovered a prompt injection vulnerability in GitHub's newly launched Agentic Workflows, named GitLost, which allows an unauthenticated attacker to silently pull private repository data by posting a crafted GitHub issue in a public repository belonging to the same organization. By exploiting agent workflows configured to trigger on issue events (like assignment), attackers can instruct the underlying AI agent to fetch files from private repositories and post them as public comments. Despite existing guardrails, researchers found that adding the keyword "Additionally" to their injected prompts caused the model to reframe its output and bypass restrictions, highlighting the fragility of relying on model behavior to enforce security boundaries.
AI agents with cross-repository access create a massive security posture risk if user input is not completely isolated from instruction prompts.
* The agent's context window is its attack surface; treating untrusted issues and PRs as instructions represents a fundamental design flaw.
* Linguistic reframing techniques (such as injecting "Additionally") easily circumvent existing safety guardrails, showing that prompt-based enforcement is inherently brittle.
* Least-privilege access must be strictly applied to AI agent permissions, especially restricting their ability to post public comments containing data retrieved from private boundaries.
DISCOVERED
2h ago
2026-07-08
PUBLISHED
5h ago
2026-07-08
RELEVANCE
AUTHOR
ColinEberhardt