AI/ML, DevSecOps

‘GitLost’ prompt injection leaks private repos via GitHub Agentic Workflows

(Credit: Photo Agency – stock.adobe.com)

A prompt injection technique dubbed “GitLost” was discovered to cause GitHub Agentic Workflows to leak private repository details, Noma Security revealed Monday.

GitHub Agentic Workflows are a GitHub feature first made available in February 2026 that combine the automation of GitHub Actions with the abilities of an AI agent, such as GitHub Copilot or Anthropic’s Claude.

Developers can create workflows using plain language, stored in Markdown files and compiled into YAML, that are then run by an AI agent configured with permissions to access repositories and call tools, Noma explained.

One of the tasks that can be automated using GitHub Agentic Workflows is issue triage and response. As anyone can open an issue on a public repository, this becomes an attack surface for prompt injection, Noma Security noted.

“The exploit doesn’t touch a server, doesn’t need stolen credentials, and doesn’t even require write access to anything private. The attacker just has to be able to open a public issue, which, on a public repo, often requires no special privileges at all,” Noma Security Research Lead Sasi Levi told SC Media. “That’s a much lower bar than most vulnerability classes.”

Noma researchers developed a proof-of-concept where an innocuous issue requests the README.md file for both a public and private repo from the same organization, causing the agent to read the issue, retrieve the requested files and provide their contents using the add-comment tool.

After testing multiple variations, the researchers found that using the word “additionally” before requesting the private file seemingly allowed the agent to divulge the private contents despite guardrails designed to prevent this.

Permissions for agents to read private and public repos at issue

The GitLost technique relies on the agent being configured to read and respond to issues and to have permissions to read both public and private repos from the same organization.

“The danger comes from a mismatch between where the agent’s *permissions* live and where its *inputs* come from. If an organization gives one agent identity read access across multiple repos, including private ones, for cross-repo context, but that same agent processes untrusted text from a public repo, you’ve combined broad access with an open input channel and a built-in publishing mechanism (the comment itself),” Levi said.

Noma compared this type of attack to an SQL injection, where untrusted input grants access to private data, but noted that there are unique challenges when it comes to fixing similar issues in agentic AI systems.

“There’s no clean syntactic boundary between ‘data’ and ‘instruction’ in natural language the way there is in SQL. That’s why the mitigations […] lean on architecture (isolation, staged review, scoped credentials) rather than trying to filter the injection itself,” Levi said.

The researchers recommended organizations provide agents with the minimum permissions required and restrict what agents can post publicly. In general, Noma advised that user-controlled content should never be treated as trusted instructional input for an AI agent and user input should be sanitized or isolated from instructional context before being received by the AI model.

Previous incidents have demonstrated how misconfigured GitHub Actions can lead to unintended disclosure of sensitive data, including GitHub tokens. In April, it was revealed that one of Microsoft’s public repos contained a flaw that allowed its GitHub token to be leaked via a crafted issue containing triple-quote string terminators and a Python code injection.

GitHub also fixed a flaw in GitHub Codespaces in February that caused GitHub Copilot to leak GitHub tokens in response to prompt injections contained in public issues.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds