GitLost: Prompt Injection Leaks Private GitHub Repos
GitLost shows how one public GitHub Issue can leak private repo data via prompt injection in Agentic Workflows. Key lessons for securing agentic systems.

On July 7–9, 2026, Wiz Research disclosed GhostApproval, a category-level security flaw affecting six major AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Cursor, Google Antigravity, Windsurf, and Augment.
The vulnerability combines a decades-old Unix primitive — symbolic links — with a modern AI-specific failure in how approval prompts are presented to users. The result is that a malicious repository can trick an agent into writing attacker-controlled content to sensitive locations outside the intended workspace sandbox, potentially granting persistent remote access.
An attacker creates a repository containing a symbolic link with an innocuous name (for example, project_settings.json) that actually points to a sensitive file on the developer’s machine, such as ~/.ssh/authorized_keys.
When a developer clones this repository and asks their AI coding assistant to “set up the workspace,” “follow the README,” or perform file operations, the agent follows the symlink and writes the attacker-supplied content (such as an SSH public key) to the real target location.
The critical failure is in the approval UX: in multiple affected tools, the agent internally recognizes that the target is dangerous, yet the confirmation dialog presented to the user only displays the harmless symlink filename. The developer approves what appears to be a benign edit, unknowingly authorizing a sandbox escape.
Wiz demonstrated successful attacks that resulted in the attacker’s SSH key being written to the victim’s authorized keys file, enabling passwordless remote access.
The flaw impacts a broad set of popular AI coding tools:
No confirmed in-the-wild exploitation has been reported yet, but the attack requires only a public malicious repository and a developer using an affected tool — a very low bar.
GhostApproval is not merely a bug in one or two tools. It reveals a systemic weakness in how current agentic coding assistants handle file system operations and user consent:
These issues are particularly acute because AI coding assistants are explicitly designed to increase developer velocity by performing file operations on the developer’s behalf. The more agency these tools are given, the higher the impact when approval mechanisms fail.
For AI security architects and DevSecOps teams, GhostApproval highlights several urgent priorities:
1. Re-evaluate trust in AI coding assistants on untrusted codebases.
Cloning and opening arbitrary repositories with AI agents that have file system access is now demonstrably risky. Organizations should consider sandboxing AI coding sessions, using ephemeral environments, or restricting these tools to internal, trusted codebases until the ecosystem matures.
2. Demand better canonical path handling and transparent approvals.
Security teams should push vendors for consistent behavior: always resolve symlinks to their canonical targets before showing approval prompts, and surface the real destination clearly to the user.
3. Treat AI coding agents as high-privilege tools.
These assistants often run with the developer’s full user permissions. Any compromise or misbehavior has direct impact on the developer’s machine and potentially on connected systems. Apply the same scrutiny and controls used for other high-privilege development tools.
4. Update red teaming and threat modeling.
Include symlink attacks, misleading UI/UX patterns, and “approval bypass via context manipulation” scenarios when testing AI coding and agentic development workflows. These are no longer theoretical.
5. Monitor vendor patch cadence and disclosures.
The relatively rapid response from Amazon, Cursor, and Google is encouraging, but the divergence in how vendors classify the issue (especially Anthropic’s position) shows that the industry has not yet converged on consistent security expectations for agentic dev tools.
GhostApproval sits alongside other recent disclosures (including GitLost in GitHub Agentic Workflows) as concrete evidence that agentic systems are expanding the attack surface faster than current controls and UX patterns can contain.
Both incidents share a common theme: untrusted or attacker-controlled content is being processed by agents that have the ability to take meaningful actions, and the guardrails around context ingestion, permission boundaries, and human oversight are still immature.
As agentic development tools become more powerful and more widely adopted, these classes of vulnerabilities will likely become more frequent unless the ecosystem invests heavily in:
GhostApproval shows that even “helpful” AI coding assistants can be turned into vectors for persistent access with relatively simple techniques. The combination of symlink following and non-transparent approval dialogs creates a practical attack that bypasses both technical sandboxing and human judgment.
Security teams should treat current-generation AI coding agents as powerful but high-risk tools. Until stronger sandboxing, canonical path enforcement, and trustworthy approval UX become standard, the safest approach is to limit their use on untrusted code and to apply additional compensating controls around developer workstations and credentials.
The good news is that several major vendors moved quickly once the issue was disclosed. The broader challenge for the industry is to move from reactive patching to designing agentic development systems with security boundaries that are resilient by default.
This post is based exclusively on disclosures and analysis from July 7–9, 2026.
Trent Leis
AI security consultant specializing in governance frameworks for regulated industries.
About the author →GitLost shows how one public GitHub Issue can leak private repo data via prompt injection in Agentic Workflows. Key lessons for securing agentic systems.
GuardFall shows how classic Bash tricks bypass AI coding agents' safety filters. Learn why regex guards fail and how to build resilient tool-use layers.
Mapping OWASP Top 10 for Agentic App risks to 2026 architecture patterns, incorporating GPT-5.6 over-agency findings for practical stack-level defenses.
Book a free 30-minute discovery call — no slides, just conversation.