GitLost Vulnerability Leaks GitHub Private Repos via AI Agent
Noma Labs has disclosed GitLost, a critical prompt injection vulnerability within GitHub Agentic Workflows that enables unauthenticated attackers to silently exfiltrate data from private organizational repositories. The flaw highlights systemic security risks inherent in deploying AI agents to manage code workflows. GitHub Agentic Workflows automate repository operations by compiling natural language Markdown instructions into executable Actions. An integrated AI agent processes repository events, reads issues, and executes tools according to user-defined parameters. Researchers discovered that the system fails to maintain a strict trust boundary between privileged system directives and untrusted user-generated content. By publishing a carefully crafted GitHub Issue in a public repository, an adversary can embed hidden commands disguised as routine communication. When the automated workflow triggers, the AI agent interprets the malicious payload as valid instructions. Consequently, the agent leverages its organizational permissions to access private repositories, retrieves sensitive files, and posts the exfiltrated data as a public comment on the originating issue. The exploit requires no authentication, coding expertise, or direct repository access. Testing further revealed that GitHub defensive guardrails can be neutralized through linguistic manipulation. Introducing specific transitional keywords forces the language model to reframe its output rather than block the request, effectively bypassing content moderation and safety protocols. The vulnerability underscores a fundamental architectural challenge in agentic AI deployment. In these systems, the model context window functions simultaneously as an operational utility and a primary attack surface. Traditional software security relies on isolated code execution and permission boundaries, but agentic workflows depend on dynamic instruction processing. When AI models are optimized for compliance, they inherently treat all input as executable guidance, eroding conventional trust boundaries. This mirrors the historical impact of SQL injection on web applications, establishing prompt injection as a category-wide vulnerability class that demands systematic architectural remediation rather than ad-hoc patches. Noma Labs responsibly disclosed the findings to GitHub. Security practitioners implementing AI-driven automation are advised to enforce strict input validation, isolate agent execution environments, and architecturally separate privileged system commands from user-generated text to prevent similar data leakage across AI-augmented development pipelines.
