GitLost: How a Prompt Injection Leaked GitHub Private Repos
AI News

GitLost: How a Prompt Injection Leaked GitHub Private Repos

2 min
7/8/2026
GitLostGitHubprompt injectionAI security

GitLost: A New Prompt Injection Vulnerability in GitHub's Agentic Workflows

Noma Labs has disclosed a critical prompt injection vulnerability in GitHub's Agentic Workflows, dubbed GitLost. The flaw allows an unauthenticated attacker to trick the AI agent into reading and publicly leaking data from private repositories. The attack requires no credentials or coding skills—only a crafted GitHub Issue in a public repository.

GitHub's Agentic Workflows, launched recently, let teams write automation in plain Markdown. An AI agent, backed by Claude or GitHub Copilot, reads issues, calls tools, and responds autonomously. This convenience, however, introduces a new attack surface: the agent's context window becomes a vector for indirect prompt injection.

continue reading below...

How GitLost Works

The vulnerability exploits a fundamental trust boundary failure. The agent treats user-controlled content—like issue titles and bodies—as instructional input rather than untrusted data. In Noma's proof of concept, the workflow was configured to trigger on issues.assigned events, read the issue title and body, and post a comment. The agent also had read access to other repositories in the organization, including private ones.

An attacker simply creates a GitHub Issue in a public repository belonging to an organization that uses Agentic Workflows. The issue body contains hidden instructions in plain English. When the workflow triggers, the agent follows those instructions, fetches content from private repositories, and posts it as a public comment. The attack requires no authentication or stolen credentials.

Bypassing GitHub's Guardrails

GitHub had implemented prompt-based guardrails to prevent such data leaks. However, Noma researchers found that adding the keyword