Mastodon Mastodon Mastodon Mastodon

How the GitLost Attack Can Leak Private GitHub Repositories via AI Agents

Photo of author

CyberSecureFox Editorial Team

Published:

Researchers from Noma Security have demonstrated the GitLost attack technique, which makes it possible to extract the contents of an organization’s private repositories via the GitHub Agentic Workflows feature. To carry out the attack, it is enough to create a regular issue in a public repository — no stolen credentials and no access to the organization are required. If the AI agent is configured with read permissions for private repositories, an attacker can force it to publish confidential data in a public comment. Organizations using the Agentic Workflows technical preview should immediately restrict agent token scope to a single repository.

Attack mechanism

GitHub Agentic Workflows is a feature launched in February 2026 in public technical preview. Instead of writing automation scripts, the user describes instructions for an AI agent in natural language inside a Markdown file. The agent independently reads issues and pull requests, invokes tools, and posts responses. As the underlying engine, GitHub Copilot, Anthropic Claude, Google Gemini, or OpenAI Codex can be used.

By default, workflows run in “read-only” mode, but an organization can grant the agent a personal access token with read permissions for all repositories, including private ones. This is exactly the configuration GitLost exploits.

The attack is based on indirect prompt injection — the AI agent cannot reliably distinguish instructions from the owner from instructions injected into the content it is processing. According to the researchers, in their PoC demonstration, the malicious issue was disguised as a routine request from a vice president of sales after a customer meeting. The workflow was configured to trigger when the issue was assigned, read its contents, and post a reply as a comment. After automatic assignment, the agent retrieved the README from a private repository and inserted its contents into a public comment.

Bypassing protection mechanisms

GitHub has built-in protections specifically against this class of attacks. According to the official documentation, the platform warns that “AI agents may be susceptible to manipulation through prompt injection, malicious repository content, or compromised tools.” The product includes a sandbox, read-only tokens by default, input sanitization, and a threat detection stage that scans the agent’s output before publication.

Nevertheless, as Noma’s researchers report, it turned out to be enough to add a single word — “Additionally” — in front of the malicious instruction to bypass the protection. The model interpreted it as a continuation of the task rather than a suspicious command, and the protection filter allowed the output through. It should be noted that this specific bypass has been confirmed only by Noma’s researchers and has not yet been independently reproduced.

Why this attack is fundamentally different

According to Sasi Levy, head of security research at Noma Security, the key difference between GitLost and previous examples of prompt injection is that this attack manipulates not what the agent says, but what the agent does with its privileges. In this case, the agent is not a chat window but an authenticated actor inside the organization’s infrastructure, with read access to repositories that are not available to the attacker.

This configuration matches the model that researcher Simon Willison called the “lethal trifecta”: the agent has access to private data, accepts untrusted external input, and has a channel for sending data out. The combination of all three conditions creates a path for data leakage.

Context: a systemic problem with AI agents

GitLost is not an isolated case but part of a series of similar attacks on AI agents in the GitHub ecosystem. In May 2025, Invariant Labs demonstrated that a public issue can force an agent connected to a GitHub MCP server to read a private repository and exfiltrate data via a pull request. The researchers described the problem as architectural, with no possibility of a server-side fix.

The cross-vendor study Comment and Control showed that Claude Code, Gemini CLI, and GitHub Copilot agents can be coerced into revealing their own API keys via the text of issues and pull requests, while bypassing the additional GitHub runtime protections.

Levy emphasizes that this is not the kind of flaw that can be closed with a patch — it is a structural consequence of granting AI agents persistent credentials while they simultaneously process text accessible to an attacker. In natural language, unlike SQL, there is no clear boundary between data and instructions, so the solution must rely on architecture rather than filtering.

Impact assessment

The impact is limited to organizations that simultaneously: have enabled the Agentic Workflows preview, configured the agent to process untrusted public input, and granted it read permissions for private repositories. However, for such organizations, the potential consequences are serious: depending on the token’s scope, the agent may disclose proprietary source code, internal keys, design documentation, or CI/CD secrets.

Defense recommendations

  • Limit token scope: the personal access token used by the workflow should be limited to the single repository the agent serves, rather than granting organization-wide access.
  • Restrict output channels: minimize publication capabilities for workflows that process public input — the agent’s comment is an exfiltration channel.
  • Filter authors: configure restrictions on which authors the agent accepts content from for processing.
  • Introduce manual review: place the agent’s output behind a human approval step before publication.
  • Do not rely on filters as a security boundary: GitHub’s built-in threat detection stage is an additional line of defense, not a reliable barrier, as demonstrated by the one-word bypass.

Noma disclosed GitLost to GitHub and published the findings with the company’s knowledge. As long as the Agentic Workflows feature remains in preview, organizations using it should adhere to the principle of least privilege: each AI agent should have access only to the repository it directly serves, and any output to a public surface should pass through manual approval.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.