Noma Labs has disclosed GitLost, a prompt injection vulnerability that showed how GitHub’s AI-powered Agentic Workflows could be tricked into leaking private repository data through a public GitHub issue.
The issue affects how GitHub Agentic Workflows combine GitHub Actions with an AI agent backed by Claude or GitHub Copilot. These workflows allow teams to automate repository tasks through plain-language Markdown instructions, with the agent reading issues, calling tools, accessing repositories, and responding on its own.
According to Noma Labs, the attack worked by placing malicious instructions inside the body of a normal-looking public GitHub issue. If an organization had configured its agentic workflow with read access to other repositories in the same organization, including private ones, the agent could be manipulated into retrieving private data and posting it as a public comment.
The tested workflow triggered when an issue was assigned, read the issue title and body, used an add-comment tool, and had read access to other repositories inside the organization. Noma said an attacker did not need stolen credentials, coding skills, or access to the private repositories. They only needed to open an issue in a public repository and wait for the workflow to run.
In Noma’s proof of concept, the agent was instructed to fetch README.md contents from multiple repositories, including a private repository named testlocal, before posting the retrieved content into the public issue thread. HackRead reported that Noma also published workflow reproductions and live evidence showing the attack path.
The finding highlights a major risk with agentic AI systems: user-controlled content can become instruction input. Dark Reading noted that GitLost allowed an unauthenticated attacker to craft a GitHub issue in a public repository and silently pull data from an organization’s private repositories if the agent had access to them.
Noma’s key takeaway is that the agent’s context window is also part of the attack surface. Any content the agent reads, including issues, pull requests, comments, or files, can be weaponized if the system fails to separate untrusted user input from trusted instructions.
Organizations testing agentic workflows should avoid giving agents broad cross-repository permissions, especially access to private repositories. Agent outputs should also be restricted, reviewed, and prevented from posting sensitive results directly to public issues or comments.
For defenders, the lesson is straightforward: treat AI agents like privileged automation. Limit their access, isolate untrusted input, monitor their actions, and assume that anything they can read may become something they can accidentally leak.