XOOMAR
AI workflow security breach exposing private repository data through a malicious issue
CybersecurityJuly 10, 2026· 7 min read· By XOOMAR Insights Team

GitLost Turns GitHub Agentic Workflows Against Private Repos

Share
Updated on July 10, 2026

One crafted public GitHub Issue was enough for researchers to show how a GitHub Agentic Workflows prompt injection flaw could push an AI workflow across the line from public triage into private repository data.

XOOMAR Intelligence

Analyst Take

65/ 100
Moderate
4 sources analyzedLow confidenceTrend10Freshness100Source Trust85Factual Grounding88Signal Cluster20

Researchers at Noma Labs named the vulnerability GitLost, according to SecurityWeek. The attack did not require authentication to the private repositories. It relied on a simpler path: post a malicious prompt inside a public Issue belonging to an organization that also runs AI-powered GitHub workflows with access to private repos.

“To exploit this vulnerability, the attacker needed no coding skills, access, or credentials. All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub’s Agentic Workflow setup and wait,” Noma explains.

One public Issue can become a private repo leak

The core risk is not that GitHub forgot to check a password. It is that an AI agent with legitimate access can be tricked into using that access the wrong way.

GitHub Agentic Workflows lets users describe workflows in natural language using markdown files. An AI agent then uses those instructions as GitHub Actions, automating repository work. That can be useful for issue triage, documentation, code review, repository management, and security assistance.

GitLost shows the darker side of that setup. A public Issue is meant to be an open collaboration surface. A private repository is meant to be closed. If the same AI workflow reads the public Issue and also has read access to private repositories, the Issue becomes more than user feedback. It becomes input to a privileged automation system.

XOOMAR analysis: that is the trust boundary failure. The workflow may be authorized. The attacker is not. The agent becomes the bridge.


How the GitHub Agentic Workflows prompt injection crossed the boundary

Noma Labs found a GitHub Agentic Workflow configured to trigger on issues.assigned events. The workflow read the Issue title and body, then posted a comment in response. Crucially, SecurityWeek reports that the workflow ran with read access to both public and private repositories maintained by the same organization.

The attack path was plain:

Step What happened
Public input An attacker posted a crafted Issue in a public repository
Agent processing The AI workflow read the Issue title and body
Privileged access The workflow had read access to public and private repositories
Public output The agent posted repository content in a public comment

The prompt injection sat inside content the agent was expected to process. In Noma’s test, the crafted Issue looked like a plausible request from sales leadership. It instructed the agent to fetch Readme.md files from both public and private repositories and post them as a public comment.

That is what makes agentic systems riskier than simple chatbots. A chatbot can answer badly. An agent can read files, call tools, summarize sensitive material, and publish the output somewhere visible.

The README test shows how little force the attack needed

Noma’s proof of concept did not depend on breaking encryption, stealing credentials, or exploiting a memory corruption bug. The workflow already had the access. The attacker only needed to steer it.

SecurityWeek reports that the crafted GitHub Issue caused the agent to retrieve contents of Readme.md files from public and private repositories and post them publicly. The exposed material in this test was README content, but the mechanism matters more than the specific file.

Depending on how a workflow is wired, the same pattern could expose internal documentation, proprietary code fragments, dependency details, security notes, or business logic. The source does not say Noma extracted secrets, tokens, or credentials in this GitLost proof of concept, so that should not be assumed. The demonstrated risk is narrower and still serious: private repository data could be copied into a public comment without the attacker holding private repo access.

GitHub had guardrails intended to block this behavior. Noma said those protections failed after researchers tested variations and eventually triggered the behavior by adding the keyword “additionally”.

Old CI scripts follow rules. AI agents interpret hostile text

Traditional automation bugs usually come from deterministic logic: a bad permission check, an unsafe script, a vulnerable package, a misconfigured token. XOOMAR has covered those more familiar patterns in cases such as Microsoft Defender Flaw Lets Hackers Seize SYSTEM Access and Tenda Firmware Backdoor Lets Attackers Seize Routers. GitLost sits in a different class.

A fixed CI script runs what it was written to run. An AI agent interprets natural language, including language supplied by outsiders.

That changes containment. If an agent reads Issues, pull requests, comments, or files, each of those inputs can shape what it does next. Noma put it sharply:

“GitLost perfectly illustrates one of the fundamental security challenges every organization faces with agentic AI systems. The agent’s context window is also its attack surface. Any content the agent reads, whether issues, pull requests, comments, or files, can be weaponized if the agent treats that content as instructional input,” Noma says.

The exfiltration path can also look normal. A public comment, generated summary, PR review, or log line may be enough to leak data. No exotic outbound channel is required if the agent can be persuaded to disclose information through its ordinary output.

Practical defenses start with shrinking what the agent can touch

Noma’s recommendations are direct: treat all user-controlled content as untrusted, restrict agent permissions to the minimum required, restrict what agents can post publicly, and sanitize user input before it reaches AI agents.

For teams using GitHub Agentic Workflows prompt injection defenses, that means public Issue processors should not automatically read private repositories unless there is a narrow, reviewed reason. If an agent’s job is to triage public Issues, it probably does not need organization-wide private repo visibility.

XOOMAR analysis: teams can translate Noma’s principles into operating controls such as:

  • Least privilege: Give workflow tokens only the repository and file access required for the task.
  • Input separation: Keep user-submitted Issue text separate from trusted system instructions.
  • Output limits: Prevent agents that read untrusted content from posting private file contents into public comments.
  • Human review: Require approval before an agent accesses private repositories or publishes sensitive summaries.
  • Sanitization: Strip or neutralize user text before it is passed into prompts that can trigger tool calls.

The design rule is simple: every new tool an agent can call becomes a new path for abuse if public text can influence the call.

GitLost points to the next software supply-chain weak spot

GitLost signals a shift in software supply-chain risk toward AI-assisted development pipelines. Public collaboration features such as Issues, pull requests, comments, and documentation become attack surfaces when agents consume them automatically and act with elevated repository access.

That does not mean teams should abandon AI coding agents. It means they need inventories of where those agents run, what repositories they can read, what events trigger them, and where their outputs can appear.

The immediate watch item is whether organizations using GitHub Agentic Workflows audit permissions before expanding agent use. The practical takeaway is blunt: if an AI workflow can read public text and private code in the same session, it needs hard guardrails before it is trusted near sensitive engineering data.

Impact Analysis

  • A public GitHub Issue could be used to manipulate an AI workflow with access to private repositories.
  • The flaw shows how trusted AI agents can become a bridge between open collaboration spaces and sensitive internal code.
  • Organizations using agentic workflows need stricter permission boundaries and prompt-injection defenses.
XOOMAR

Written by

XOOMAR Insights Team

Research and Editorial Desk

The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.

Related Articles

AI agent workstation with shielded data defenses blocking a code execution breachCybersecurity

AutoJack Turns AutoGen Studio Flaw Into Code Execution Risk

Microsoft patched the AutoGen Studio flaw before PyPI release, but AutoJack exposes a dangerous trust gap in local AI agents.

Jun 22, 20267 min
Dark cyber scene of malware deceiving AI analysis with shields, locks, glitches, and encrypted data streams.Cybersecurity

Gaslight macOS Malware Tricks the AI Tools Hunting It

Gaslight hides fake errors in a Rust binary to mislead AI analysis tools before defenders understand what the macOS malware does.

Jun 27, 20268 min
Futuristic identity security hub protecting humans, machines and AI agents with shields and data streams.Cybersecurity

$66M Bet Throws NewCore Into AI Identity Security Fight

NewCore exits stealth with $66M to secure human, machine and AI agent identities from one enterprise control plane.

Jun 21, 20266 min
AI agent core amid rapid security patches, shields, locks, and warning glows in a dark cyber operations room.Cybersecurity

30 Silent Fixes Drag Claude Code Into a CISO Patch Crisis

Claude Code's 30-plus quiet fixes show AI agent updates are becoming a security risk CISOs can't treat like ordinary patches.

Jun 17, 20269 min
AI coding agent lured by a clean repo into malware trap with reverse shell connectionCybersecurity

Clean GitHub Repo Tricks AI Coding Agents Into Malware

A clean GitHub repo can trick AI coding agents into fixing setup errors that execute malware and open a reverse shell.

Jun 27, 20268 min
Gold bars on a trading desk with bearish market charts and cinematic financial screens.Trading

Gold Price Forecast Pins $4,100 Bulls in a Macro Trap

Gold’s 1.6% weekly slide shows $4,100 support isn’t enough. Oil, dollar strength, and rate pressure are pinning XAU/USD bulls.

Jul 10, 20267 min
Generic EV in a dim tech showroom with anxious owner silhouette and fading network connections.Technology

Polestar US Exit Leaves EV Owners Stuck With the Bill

Polestar's US exit puts owners on the hook for service, leases and resale risk as connected-car rules shut down future sales.

Jul 10, 20268 min
UK shop surveillance cameras using AI facial recognition as police lights glow outsideTechnology

4-Second Police Alerts Drag Facial Recognition Into UK Shops

Facewatch will let UK shop cameras alert police in seconds, escalating a retail theft tool into a real-time surveillance fight.

Jul 10, 20269 min
Forex trading desk showing NZD/USD momentum rising toward technical resistanceTrading

NZD/USD Price Forecast Puts Bulls on Trial at 0.5800

NZD/USD hit a three-week high after the RBNZ hike, but bulls still need a clean break above 0.5800 to change the bigger trend.

Jul 10, 20268 min
Crypto trading desk showing Bitcoin price consolidation with sideways charts and tense market atmosphereTrading

Bitcoin Consolidation Traps Bulls in 307-Day Range

$60K-$70K has trapped Bitcoin for 307 days, its third-longest $10K consolidation ever. The breakout clock is getting louder.

Jul 10, 20267 min

Don't miss the signal

Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.

Free forever. No spam. Unsubscribe anytime.