Security researchers at Noma Labs have disclosed a vulnerability dubbed “GitLost” that shows how a single, innocuous-looking GitHub Issue can be weaponized to trick GitHub’s AI-powered Agentic Workflows into leaking the contents of private repositories to the public internet. No credentials, coding skills, or system access are required, only the ability to open an issue on a repository the agent monitors.
What Are Agentic Workflows?
GitHub Agentic Workflows pair GitHub Actions with an AI agent, backed by models such as Claude or GitHub Copilot, that lets teams write automation instructions in plain Markdown, which then compiles into YAML Actions files. These agents can read issues, call external tools, post comments, and access other repositories within an organization based on whatever permissions they have been configured with, often without a human reviewing every individual action the agent takes.
That combination of broad permissions and autonomous action is precisely what made the GitLost technique effective.
How the Attack Works
The vulnerability stems from a classic indirect prompt-injection flaw. The specific workflow Noma Labs examined was configured to trigger on issues.assigned events, reading the issue title and body and then responding automatically based on that content. Because the underlying AI agent could not reliably distinguish between trusted system instructions and untrusted, attacker-supplied content inside the issue, any attacker could embed plain-English commands inside an issue body and have the agent execute them as if they were legitimate directives.
To demonstrate the flaw, Noma Labs crafted an innocuous-looking issue designed to mimic a routine request from a “VP of Sales” following a customer meeting. Once the issue was assigned, which triggered the workflow, the agent fetched README.md contents from both a public repository and a private repository, then posted the combined output as a public comment, visible to anyone with access to the issue thread.
The “Additionally” Trick That Bypassed Guardrails
One of the more striking findings from the research is a simple linguistic technique that defeated GitHub’s existing safety mechanisms. Researchers found that adding the word “Additionally” before an injected instruction was often enough to bypass guardrails designed to catch and refuse suspicious requests. Rather than triggering a refusal, the word appeared to reframe the model’s output as a continuation of a legitimate task rather than a new, potentially malicious instruction. This subtle framing shift was sufficient to defeat protections meant to prevent exactly this kind of data leak.
What Was Actually Leaked
In the proof-of-concept, the leaked data included README contents from both a public demonstration repository and a private repository that should not have been accessible outside the organization. While the demonstration was limited in scope, the underlying flaw would generalize to any content the agent has read access to, including source code, internal documentation, and configuration files, depending on how broadly the agent’s permissions were scoped.
Why This Matters Beyond GitHub
GitLost is part of a growing category of AI agent vulnerabilities rooted in indirect prompt injection, where the danger comes not from a directly compromised model but from untrusted content the agent processes as part of its normal job. As organizations grant AI agents read and write access to internal repositories, ticketing systems, and communication tools, any user-controllable input field, including something as mundane as an issue title, effectively becomes an attack surface for the agent’s behavior.
Recommended Mitigations
- Scope AI agent permissions as narrowly as possible; avoid granting broad cross-repository read access by default.
- Treat all issue, comment, and pull-request content as untrusted input, and design agent workflows to explicitly separate system instructions from user-supplied text.
- Require human approval for any agent action that posts content publicly or accesses a private repository, rather than allowing fully autonomous execution.
- Monitor and log agent actions, including which repositories were accessed and what triggered each action, to enable rapid detection of anomalous behavior.
- Test agentic workflows against known prompt-injection techniques, including simple reframing tricks like the “Additionally” bypass identified by Noma Labs, before deploying them in production.
As AI agents become more deeply embedded in software development workflows, GitLost is a clear reminder that classic web and application security principles, such as never trusting user input, apply just as forcefully to autonomous AI agents as they do to traditional application code.