GitLost: How a Simple GitHub Issue Tricked AI Into Leaking Private Code
A new vulnerability dubbed GitLost shows how attackers can use plain English in a GitHub issue to trick AI agents into leaking private repository data — no coding skills required.
GitHub's Agentic Workflows were supposed to make developer life easier. Instead, they opened a door that nobody was watching. Security researchers at Noma Labs just demonstrated that a single crafted GitHub issue — written in plain English — can trick GitHub's AI agent into dumping private repository contents into a public comment. They called it GitLost, and it's a wake-up call for anyone betting on AI agents in their CI/CD pipeline.
What Are GitHub Agentic Workflows?
Earlier this year, GitHub launched Agentic Workflows, a system that pairs GitHub Actions with an AI agent backed by Claude or GitHub Copilot. The pitch is compelling: instead of writing YAML configs and shell scripts, teams write their workflows in plain Markdown. The AI agent reads issues, calls tools, interacts with repositories, and posts responses — all on its own.
It's a natural fit for GitHub's automation ecosystem. Workflows trigger on repository events like issue assignments, the agent processes the request, and it can access other repositories within the same organization — including private ones. That last detail is where things get dangerous.
The Attack: Prompt Injection in Plain English
The GitLost vulnerability is a textbook indirect prompt injection attack. The attacker doesn't need coding skills, credentials, or special access. They just open a GitHub issue in a public repository belonging to an organization that uses Agentic Workflows.
Here's how it works:
- The attacker posts a GitHub issue that looks completely innocent — say, a plausible request from a VP of Sales following up on a customer meeting
- A GitHub automation assigns the issue, triggering the Agentic Workflow
- The AI agent reads the issue body, which contains hidden instructions disguised as natural language
- The agent follows those instructions instead of its intended workflow — fetching README.md files from both public and private repositories
- The agent posts the private repo contents as a public comment on the issue, visible to anyone on the internet
The issue body doesn't contain code or exploits. It contains English sentences that the AI interprets as instructions. That's the core problem: when an AI agent can't distinguish between trusted system directives and untrusted user input, any content it reads becomes a potential attack vector.
Bypassing GitHub's Guardrails
GitHub isn't naive about prompt injection. They implemented guardrails designed to prevent exactly this scenario. But the researchers found that simply adding the word "Additionally" to the malicious issue was enough to trip up the model's safety reasoning.
By framing the request with that one extra keyword, the agent reframed its output rather than refusing it. The guardrails detected something suspicious, but the model's response to that detection was itself manipulable. It's a sobering reminder that LLM-based guardrails are themselves vulnerable to the same class of attacks they're trying to prevent.
Why This Matters Beyond GitHub
GitLost isn't just a GitHub problem. It's a preview of the security challenges every agentic AI system will face as agents get embedded into more platforms with broader permissions. The pattern is always the same:
- An AI agent is given tools and permissions to do useful work
- The agent processes untrusted input from users, documents, or external sources
- An attacker embeds instructions in that untrusted input
- The agent can't tell the difference between its real instructions and the injected ones
This applies to AI coding assistants, customer support agents, automated email processors, and any system where an LLM reads external content and has access to tools or data. The more permissions the agent has, the worse the potential breach.
What Organizations Should Do Now
If your team is using or considering AI agents in development workflows, here are practical steps to reduce risk:
- Apply least-privilege permissions to AI agents. If a workflow only needs to respond to issues, don't grant it read access to private repositories across the entire organization
- Treat all user-generated content as untrusted. Issue bodies, PR descriptions, and comments should never be fed directly to an agent as instructions
- Implement output filtering. Before an agent posts a comment or sends data externally, check whether the output contains content from private sources
- Audit agent workflows regularly. New features like Agentic Workflows should go through the same security review as any other privileged automation
- Don't rely solely on LLM-based guardrails. As GitLost demonstrated, the model's own safety reasoning can be manipulated with a single word
The Bigger Picture
The timing of GitLost is significant. We're in the middle of a massive shift toward agentic AI — systems that don't just answer questions but take actions. GitHub Agentic Workflows, Devin, Claude Code, Copilot Workspace, and dozens of other tools are all racing to give AI agents real permissions in real environments.
Prompt injection has been a known vulnerability in LLMs since 2023, but most discussions stayed theoretical. GitLost makes it concrete: a real platform, real private data, and an attack that requires nothing more than a GitHub account and the ability to write a persuasive issue.
Noma Labs disclosed the vulnerability responsibly and published full proof-of-concept details, including workflow run logs and the exact issue used in the attack. GitHub has been notified and the specific vulnerable workflow configuration has been addressed, but the underlying class of vulnerability remains — because it's not a bug in any single system. It's a fundamental property of how LLMs process text.
What Comes Next
The industry needs structural solutions, not patches. Promising directions include:
- Strict separation between instruction channels and data channels in agent architectures
- Capability-based security models where agents request specific permissions per action, not blanket access
- Formal verification of agent output against data classification policies before any external delivery
- Industry-wide standards for agentic AI security, similar to what OWASP did for web applications
Until those solutions arrive, the message is simple: treat every AI agent with the same suspicion you'd apply to any other privileged automation. Assume it can be tricked. Design for that. Because as GitLost proves, it can be — and the attacker doesn't even need to know how to code.