News
GitLost Flaw Let Attackers Steal Private GitHub Repos via a Simple Issue
Researchers at Noma Security disclosed GitLost, a vulnerability that let anyone with no credentials or access extract private organization repository data through a simple GitHub issue processed by GitHub Agentic Workflows. GitHub has not yet shipped a fix.
Security researchers at Noma Security have described a vulnerability dubbed GitLost that allowed attackers to pull data out of private company repositories on GitHub without any login credentials, access rights, or programming skills. All it took was opening a seemingly ordinary issue in a public repository belonging to an organization using the GitHub Agentic Workflows feature.
How the attack works
GitHub Agentic Workflows is a feature launched in public preview in February 2026 that lets developers describe a task to an AI agent in plain English inside a Markdown file, instead of writing automation scripts. The agent, built on Claude or GitHub Copilot, reads issues and pull requests on its own, runs tools, and responds without human oversight.
The problem is that such an agent cannot reliably distinguish instructions from the organization's owner from instructions hidden in the content it happens to be reading. If an attacker plants a command inside the body of an issue in a public repository, the agent may simply carry it out. This is a known class of vulnerability called indirect prompt injection.
To exploit this vulnerability, an attacker needed no coding skills, no access, and no login credentials. All it took was opening an issue in a public repository of an organization using GitHub Agentic Workflows and waiting - Sasi Levi, Head of Research, Noma Security
Scale of the risk
The risk applies to organizations that have enabled the preview feature and configured an agent to read untrusted public content while also having read access to private repositories and the ability to post comments publicly. In practice, that means companies maintaining both public and private repositories under the same organizational account, a common setup among tech companies that use GitHub for open source development alongside internal code.
The researchers also described a specific technique for bypassing GitHub's safeguards. Adding the word Additionally to the injected command was enough to reframe how the model interpreted the rest of the instruction, avoiding a refusal instead of triggering one. This subtle linguistic trick proved effective against mechanisms specifically designed to prevent this kind of leak.
No response from GitHub
According to The Register, no fix had been deployed by GitHub as of publication. The researchers proposed documentation encouraging safer strategies for sharing API keys across repositories, but GitHub has not published such guidance. Microsoft, which owns GitHub, did not respond to reporters' questions on the matter.
What it means for dev teams
GitLost is the latest in a string of recent vulnerabilities stemming not from a code bug, but from the very nature of AI agents operating on untrusted input. Teams using the GitHub Agentic Workflows preview should, until a fix ships, limit agent access strictly to the repositories where the agent operates, and avoid granting broad read access to private repositories for agents that also handle public content.
The case adds to a growing list of vulnerabilities disclosed in agentic developer tools in recent weeks, underscoring that permission-isolation mechanisms in such systems are still lagging behind the pace at which autonomous agent features are being rolled out.
Sources: The Register (theregister.com), The Hacker News (thehackernews.com)


