Skip to content
NewsIncident

Noma Security finds prompt injection in GitHub Agentic Workflows that leaks private repo data without credentials

· by Pondero Newsdesk

The short version

Noma Security researcher Sasi Levi published GitLost on July 7, showing how a single crafted public GitHub issue can direct GitHub's AI agent to fetch private repository contents and post them publicly, requiring no credentials or code.

Noma Security finds prompt injection in GitHub Agentic Workflows that leaks private repo data without credentials

Anyone who can open a GitHub issue in a public repository can steal private repository contents from the same GitHub organization and post them publicly. No special access required. No code required. That is the finding Noma Security researcher Sasi Levi published on July 7, naming the attack GitLost.

What happened

GitHub's Agentic Workflows product uses an AI agent to automate issue triage, pull request review, and code tasks across an organization's repositories. Levi demonstrated GitLost using a fake issue crafted to resemble a request from a VP of Sales. The issue body contained plain-English instructions directing the agent to retrieve README files from private repositories inside the same organization. The agent followed those instructions, fetched the private repo contents, and posted the data as a public comment accessible to anyone on the internet, per the Noma Security blog.

GitHub had not issued a fix or updated its documentation as of The Register's coverage on July 7. GitHub did not respond to The Register's inquiry. Noma Security published the research with GitHub's knowledge after responsible disclosure.

How the attack works

The root mechanism is indirect prompt injection. GitHub Agentic Workflows grants the AI agent cross-repository read access within an organization. The agent processes issue text as input but does not enforce a strict boundary between system-level instructions and user-supplied content, so directives embedded in issue bodies are treated as legitimate commands.

GitHub had implemented some guardrails. Levi found that appending the word "Additionally" to the injected prompt caused the model to reframe its output context and bypass those protections. A live proof-of-concept issue and workflow run were visible at github.com/sasinomalabs/poc at time of publication.

Why it matters

The attacker needs no elevated permissions and no prior access to the target codebase. A public repository in the same GitHub organization is the only foothold. Organizations running GitHub Agentic Workflows with cross-repository access are exposed until GitHub ships a fix.

Noma Security's guidance is concrete: restrict agent permissions to the minimum read scope required, block the agent from posting responses triggered by user content into public threads, and treat every issue body and pull request comment as untrusted data. The researchers describe the core problem as a trust-boundary failure: the agent's context window is also its attack surface.

Any team using GitHub Copilot's agentic features should audit which repositories the workflow agent can read and whether it has permission to write public comments. Scoping the agent to a single repository and disabling cross-org reads are the fastest mitigations available until a documented fix appears.

What to watch next

GitHub has not announced a patch timeline. Watch for a GitHub Security Advisory or updated Agentic Workflows documentation covering minimum-privilege agent configuration. The GitLost pattern, where user-controlled public input contaminates an agent's instruction stream, sits in the same class of AI-agent security failures that regulators have begun tracking. CISA added a Langflow authorization-bypass flaw to its Known Exploited Vulnerabilities catalog on July 7, the same day GitLost published. GitLost has not been added to the KEV catalog as of publication.

Sources