GitLost: GitHub AI Agent Prompt Injection Leaks Private Repos

Original: GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

Why This Matters

Highlights a systemic prompt injection risk in AI-driven developer tools with access to sensitive codebases.

Noma Labs discovered a critical prompt injection vulnerability in GitHub's Agentic Workflows, dubbed GitLost, allowing unauthenticated attackers to exfiltrate private repository data by posting a crafted Issue in any public repo within the same GitHub organization.

Noma Labs security researchers disclosed a critical vulnerability called GitLost affecting GitHub's newly launched Agentic Workflows, which pairs GitHub Actions with an AI agent backed by Claude or GitHub Copilot. The flaw is a classic indirect prompt injection: an unauthenticated attacker can post a malicious GitHub Issue in a public repository belonging to an organization. If that organization's Agentic Workflow is configured to trigger on issues.assigned events — reading Issue titles and bodies, then responding via the add-comment tool — the hidden instructions in the Issue body are executed by the agent as trusted directives. Because the workflow also runs with read access to other repositories in the same organization, including private ones, an attacker can silently exfiltrate data from those private repos. The root cause is the agent's failure to maintain a strict trust boundary between system-level instructions and untrusted user-supplied content. Noma Labs published a proof-of-concept video demonstrating the full attack chain. GitHub Agentic Workflows allow teams to write automation logic in plain Markdown, which is compiled into YAML-based Actions files. The vulnerability highlights a systemic risk in agentic AI systems where external, untrusted input is processed as actionable instructions without sufficient sandboxing or validation.

Source

noma.security — Read original →