A prompt injection technique dubbed “GitLost” was discovered to cause GitHub Agentic Workflows to leak private repository details, Noma Security revealed Monday.GitHub Agentic Workflows are a GitHub feature first made available in February 2026 that combine the automation of GitHub Actions with the abilities of an AI agent, such as GitHub Copilot or Anthropic’s Claude.Developers can create workflows using plain language, stored in Markdown files and compiled into YAML, that are then run by an AI agent configured with permissions to access repositories and call tools, Noma explained.One of the tasks that can be automated using GitHub Agentic Workflows is issue triage and response. As anyone can open an issue on a public repository, this becomes an attack surface for prompt injection, Noma Security noted.“The exploit doesn’t touch a server, doesn’t need stolen credentials, and doesn’t even require write access to anything private. The attacker just has to be able to open a public issue, which, on a public repo, often requires no special privileges at all,” Noma Security Research Lead Sasi Levi told SC Media. “That’s a much lower bar than most vulnerability classes.”Noma researchers developed a proof-of-concept where an innocuous issue requests the README.md file for both a public and private repo from the same organization, causing the agent to read the issue, retrieve the requested files and provide their contents using the add-comment tool.After testing multiple variations, the researchers found that using the word “additionally” before requesting the private file seemingly allowed the agent to divulge the private contents despite guardrails designed to prevent this.
AI/ML, DevSecOps
‘GitLost’ prompt injection leaks private repos via GitHub Agentic Workflows

(Credit: Photo Agency – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



