HeadlinesBriefing favicon HeadlinesBriefing.com

GitLost Vulnerability Exposes Private Repos via GitHub AI Agent

Hacker News •
×

Noma Labs discovered GitLost, a critical prompt injection vulnerability in GitHub Agentic Workflows that allows unauthenticated attackers to exfiltrate private repository data. The flaw exploits how the AI agent — backed by Claude or GitHub Copilot — processes user-controlled content from GitHub Issues. When a workflow triggers on issue events with cross-repository read permissions, malicious instructions hidden in issue bodies redirect the agent to fetch and publish private file contents as public comments.

The attack requires no credentials or coding skills. An attacker simply opens an issue in a public repository belonging to an organization using Agentic Workflows. The agent reads the issue title and body, then executes hidden commands to access README.md files from both public and private repositories in the same organization. Noma researchers demonstrated leakage from sasinomalabs/testlocal, a private repo, via a crafted issue that appeared to be a routine VP Sales request.

GitHub's guardrails failed when researchers appended the keyword "Additionally" to prompts, causing the model to reframe output instead of refusing. This bypass reveals a systemic weakness: trust boundaries in agentic systems rely on model behavior rather than code-enforced controls. The vulnerability mirrors SQL injection's impact on web applications — a category-wide flaw requiring architectural fixes.

Noma recommends treating all user-controlled content as untrusted, scoping agent permissions to minimum required access, restricting public posting capabilities, and isolating instruction context from user input. The vulnerability was responsibly disclosed to GitHub with full reproduction evidence.