Skip to main content

GitLost: Prompt Injection Leaks Private GitHub Repos

By Trent Leis 5 min read

GitLost vulnerability illustration: GitHub Agentic Workflow data leak via public issue

On July 7, 2026, researchers at Noma Security disclosed GitLost, a critical vulnerability in GitHub Agentic Workflows that allows an unauthenticated attacker to leak data from an organization’s private repositories by simply posting a crafted issue in a public repository.

The attack requires no credentials, no write access, and no traditional software exploit — just the ability to open a public GitHub Issue and wait for the agent to process it.

What Happened

GitHub Agentic Workflows let teams define automation in plain Markdown files that an AI agent (powered by Claude or GitHub Copilot) then executes as GitHub Actions. A common pattern is workflows that trigger on repository events such as issues.assigned, read the issue title and body, and then use tools like add-comment to respond.

Noma’s proof-of-concept showed that when such a workflow also has read access to other repositories in the same organization (a frequent configuration for cross-repo automation), an attacker can embed plain-English instructions inside a seemingly innocent public issue. The agent treats the untrusted issue content as authoritative instructions and retrieves sensitive files from private repositories, posting their contents back as a public comment.

In the published PoC, the attacker successfully caused the agent to read and expose the README from a private repository while also fetching content from public ones.

Why This Matters for AI Security Architects

This is not a traditional vulnerability in the classical sense. It is a trust boundary failure at the intersection of event-driven automation and large language model behavior.

The core issue is simple but profound: the agent’s context window became its attack surface. Any content the agent is instructed to read — issues, pull request descriptions, file contents, or tool outputs — can contain hidden instructions that override or subvert the system’s intended behavior.

This mirrors the classic lesson from web application security: untrusted input must never be treated as trusted instructions. In agentic systems, that lesson applies to every piece of data that enters the agent’s context.

Key architectural implications include:

  • Cross-repository permissions are dangerous by default. Giving an agent broad read access across an organization’s repositories dramatically increases the blast radius of any successful prompt injection.
  • Event-driven triggers on untrusted content create reliable attack paths. issues.assigned, pull_request.opened, and similar webhooks are now high-risk ingestion points when combined with AI agents.
  • Output actions that affect public or external surfaces must be tightly controlled. Allowing an agent to post public comments, create issues, or update wikis without additional guardrails turns data exfiltration into a low-friction operation.

Practical Recommendations

Teams using or evaluating GitHub Agentic Workflows (or similar event-driven agentic automation) should take the following steps immediately:

  1. Apply least privilege aggressively. Scope agent permissions to the minimum repositories and actions required for the specific workflow. Avoid organization-wide or cross-repo read access unless there is a documented and reviewed justification.

  2. Isolate untrusted input from instruction context. Treat issue titles, bodies, comments, and any user-generated content as untrusted data. Where possible, process this content through separate, non-instruction-following mechanisms before (or instead of) feeding it directly to the agent.

  3. Add guardrails on public or high-visibility actions. Require human approval or additional policy checks before an agent can post public comments, create issues, or modify content that will be visible outside the organization.

  4. Monitor and log agent decision traces. Record what the agent read, what instructions it followed, and what actions it took. This is essential for detection and forensic investigation of prompt injection attempts.

  5. Red team the workflows. Include indirect prompt injection scenarios (especially via public issues and pull requests) in your regular testing of any agentic automation that touches sensitive data or has broad permissions.

The Broader Pattern

GitLost is a textbook example of why prompt injection has become to agentic AI what SQL injection was to web applications: a systematic, category-wide vulnerability class rather than an edge-case problem.

As organizations increasingly deploy agents that can read from multiple sources, take autonomous actions, and operate across trust boundaries, the assumption that “our prompt will always be the most important instructions in context” breaks down. Adversaries only need to get malicious instructions into any part of the context the agent treats as input.

This incident should accelerate work on:

  • Stronger input sanitization and separation techniques for agentic systems
  • Capability-based or policy-enforced permission models for AI agents
  • Better observability into why an agent chose to perform a particular action
  • Standardized patterns for safely handling untrusted content in event-driven agentic workflows

Conclusion

GitLost demonstrates that shipping powerful agentic capabilities without correspondingly strong trust boundary controls creates immediate, low-skill attack opportunities. The vulnerability was not in the underlying models but in how the system was architected to ingest and act on untrusted data.

For security teams, the takeaway is clear: every agent that can read external or user-controlled content and then take actions must be designed with the same rigor previously applied to traditional application security boundaries. The context window is the new perimeter — and right now, it is porous.


This post is based exclusively on disclosures and analysis from July 7–9, 2026.

Trent Leis

AI security consultant specializing in governance frameworks for regulated industries.

About the author →

Related articles

Ready to discuss your AI security posture?

Book a free 30-minute discovery call — no slides, just conversation.