One crafted public GitHub Issue was enough for researchers to show how a GitHub Agentic Workflows prompt injection flaw could push an AI workflow across the line from public triage into private repository data.

GitLost Turns GitHub Agentic Workflows Against Private Repos
XOOMAR Intelligence
Analyst Take
Researchers at Noma Labs named the vulnerability GitLost, according to SecurityWeek. The attack did not require authentication to the private repositories. It relied on a simpler path: post a malicious prompt inside a public Issue belonging to an organization that also runs AI-powered GitHub workflows with access to private repos.
“To exploit this vulnerability, the attacker needed no coding skills, access, or credentials. All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub’s Agentic Workflow setup and wait,” Noma explains.
One public Issue can become a private repo leak
The core risk is not that GitHub forgot to check a password. It is that an AI agent with legitimate access can be tricked into using that access the wrong way.
GitHub Agentic Workflows lets users describe workflows in natural language using markdown files. An AI agent then uses those instructions as GitHub Actions, automating repository work. That can be useful for issue triage, documentation, code review, repository management, and security assistance.
GitLost shows the darker side of that setup. A public Issue is meant to be an open collaboration surface. A private repository is meant to be closed. If the same AI workflow reads the public Issue and also has read access to private repositories, the Issue becomes more than user feedback. It becomes input to a privileged automation system.
XOOMAR analysis: that is the trust boundary failure. The workflow may be authorized. The attacker is not. The agent becomes the bridge.
How the GitHub Agentic Workflows prompt injection crossed the boundary
Noma Labs found a GitHub Agentic Workflow configured to trigger on issues.assigned events. The workflow read the Issue title and body, then posted a comment in response. Crucially, SecurityWeek reports that the workflow ran with read access to both public and private repositories maintained by the same organization.
The attack path was plain:
| Step | What happened |
|---|---|
| Public input | An attacker posted a crafted Issue in a public repository |
| Agent processing | The AI workflow read the Issue title and body |
| Privileged access | The workflow had read access to public and private repositories |
| Public output | The agent posted repository content in a public comment |
The prompt injection sat inside content the agent was expected to process. In Noma’s test, the crafted Issue looked like a plausible request from sales leadership. It instructed the agent to fetch Readme.md files from both public and private repositories and post them as a public comment.
That is what makes agentic systems riskier than simple chatbots. A chatbot can answer badly. An agent can read files, call tools, summarize sensitive material, and publish the output somewhere visible.
The README test shows how little force the attack needed
Noma’s proof of concept did not depend on breaking encryption, stealing credentials, or exploiting a memory corruption bug. The workflow already had the access. The attacker only needed to steer it.
SecurityWeek reports that the crafted GitHub Issue caused the agent to retrieve contents of Readme.md files from public and private repositories and post them publicly. The exposed material in this test was README content, but the mechanism matters more than the specific file.
Depending on how a workflow is wired, the same pattern could expose internal documentation, proprietary code fragments, dependency details, security notes, or business logic. The source does not say Noma extracted secrets, tokens, or credentials in this GitLost proof of concept, so that should not be assumed. The demonstrated risk is narrower and still serious: private repository data could be copied into a public comment without the attacker holding private repo access.
GitHub had guardrails intended to block this behavior. Noma said those protections failed after researchers tested variations and eventually triggered the behavior by adding the keyword “additionally”.
Old CI scripts follow rules. AI agents interpret hostile text
Traditional automation bugs usually come from deterministic logic: a bad permission check, an unsafe script, a vulnerable package, a misconfigured token. XOOMAR has covered those more familiar patterns in cases such as Microsoft Defender Flaw Lets Hackers Seize SYSTEM Access and Tenda Firmware Backdoor Lets Attackers Seize Routers. GitLost sits in a different class.
A fixed CI script runs what it was written to run. An AI agent interprets natural language, including language supplied by outsiders.
That changes containment. If an agent reads Issues, pull requests, comments, or files, each of those inputs can shape what it does next. Noma put it sharply:
“GitLost perfectly illustrates one of the fundamental security challenges every organization faces with agentic AI systems. The agent’s context window is also its attack surface. Any content the agent reads, whether issues, pull requests, comments, or files, can be weaponized if the agent treats that content as instructional input,” Noma says.
The exfiltration path can also look normal. A public comment, generated summary, PR review, or log line may be enough to leak data. No exotic outbound channel is required if the agent can be persuaded to disclose information through its ordinary output.
Practical defenses start with shrinking what the agent can touch
Noma’s recommendations are direct: treat all user-controlled content as untrusted, restrict agent permissions to the minimum required, restrict what agents can post publicly, and sanitize user input before it reaches AI agents.
For teams using GitHub Agentic Workflows prompt injection defenses, that means public Issue processors should not automatically read private repositories unless there is a narrow, reviewed reason. If an agent’s job is to triage public Issues, it probably does not need organization-wide private repo visibility.
XOOMAR analysis: teams can translate Noma’s principles into operating controls such as:
- Least privilege: Give workflow tokens only the repository and file access required for the task.
- Input separation: Keep user-submitted Issue text separate from trusted system instructions.
- Output limits: Prevent agents that read untrusted content from posting private file contents into public comments.
- Human review: Require approval before an agent accesses private repositories or publishes sensitive summaries.
- Sanitization: Strip or neutralize user text before it is passed into prompts that can trigger tool calls.
The design rule is simple: every new tool an agent can call becomes a new path for abuse if public text can influence the call.
GitLost points to the next software supply-chain weak spot
GitLost signals a shift in software supply-chain risk toward AI-assisted development pipelines. Public collaboration features such as Issues, pull requests, comments, and documentation become attack surfaces when agents consume them automatically and act with elevated repository access.
That does not mean teams should abandon AI coding agents. It means they need inventories of where those agents run, what repositories they can read, what events trigger them, and where their outputs can appear.
The immediate watch item is whether organizations using GitHub Agentic Workflows audit permissions before expanding agent use. The practical takeaway is blunt: if an AI workflow can read public text and private code in the same session, it needs hard guardrails before it is trusted near sensitive engineering data.
Impact Analysis
- A public GitHub Issue could be used to manipulate an AI workflow with access to private repositories.
- The flaw shows how trusted AI agents can become a bridge between open collaboration spaces and sensitive internal code.
- Organizations using agentic workflows need stricter permission boundaries and prompt-injection defenses.
Sources
- [1] SecurityWeek
- [2] AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
- [3] 'GitLost' vulnerability let GitHub's AI workflows leak private repositories - SiliconANGLE
- [4] Active Exploitation Alert: Prompt Injection Vulnerability in GitHub Agentic Workflows Threatens Software Supply Chain Security
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityAutoJack Turns AutoGen Studio Flaw Into Code Execution Risk
Microsoft patched the AutoGen Studio flaw before PyPI release, but AutoJack exposes a dangerous trust gap in local AI agents.
CybersecurityGaslight macOS Malware Tricks the AI Tools Hunting It
Gaslight hides fake errors in a Rust binary to mislead AI analysis tools before defenders understand what the macOS malware does.
Cybersecurity$66M Bet Throws NewCore Into AI Identity Security Fight
NewCore exits stealth with $66M to secure human, machine and AI agent identities from one enterprise control plane.
Cybersecurity30 Silent Fixes Drag Claude Code Into a CISO Patch Crisis
Claude Code's 30-plus quiet fixes show AI agent updates are becoming a security risk CISOs can't treat like ordinary patches.
CybersecurityClean GitHub Repo Tricks AI Coding Agents Into Malware
A clean GitHub repo can trick AI coding agents into fixing setup errors that execute malware and open a reverse shell.
TradingGold Price Forecast Pins $4,100 Bulls in a Macro Trap
Gold’s 1.6% weekly slide shows $4,100 support isn’t enough. Oil, dollar strength, and rate pressure are pinning XAU/USD bulls.
TechnologyPolestar US Exit Leaves EV Owners Stuck With the Bill
Polestar's US exit puts owners on the hook for service, leases and resale risk as connected-car rules shut down future sales.
Technology4-Second Police Alerts Drag Facial Recognition Into UK Shops
Facewatch will let UK shop cameras alert police in seconds, escalating a retail theft tool into a real-time surveillance fight.
TradingNZD/USD Price Forecast Puts Bulls on Trial at 0.5800
NZD/USD hit a three-week high after the RBNZ hike, but bulls still need a clean break above 0.5800 to change the bigger trend.
TradingBitcoin Consolidation Traps Bulls in 307-Day Range
$60K-$70K has trapped Bitcoin for 307 days, its third-longest $10K consolidation ever. The breakout clock is getting louder.
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.