Close Menu
WithO2WithO2

    Subscribe to Updates

    Get the latest AI News Tools Updates in your Inbox

    What's Hot

    Microsoft Patches 570 Flaws — Record Patch Tuesday, 3 Zero-Days

    July 15, 2026

    Cursor 0day: Cloning a Repo Can Hack Your Computer

    July 15, 2026

    Rippling vs Gusto vs BambooHR: Full HRMS Comparison 2026

    July 15, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram
    Facebook X (Twitter) Instagram
    WithO2WithO2
    • AI
    • Blog
    • Business Software
    • Trending News
    • Stories
    WithO2WithO2
    Home » Trending News
    Trending News

    GitHub’s AI Agent Was Tricked Into Leaking Your Private Repos

    By Amitabh SarkarJuly 15, 20266 Mins Read0
    Facebook Twitter Pinterest LinkedIn Tumblr Email
    GitHub AI agent security flaw GitLost — private repo data leaked via crafted GitHub Issue prompt injection
    Noma Labs' GitLost attack tricks GitHub's Agentic Workflows AI into leaking private repository data through a public comment.
    Share
    Facebook Twitter LinkedIn Pinterest Email

    A GitHub AI agent security flaw discovered by Noma Labs lets an unauthenticated attacker steal private repository data with zero credentials and zero coding skill — just a crafted GitHub Issue posted to any public repo in the same organization. GitHub’s response was a documentation update, not a code fix, because prompt injection in AI agents cannot be fully patched in software.

    Key Facts

    • Vulnerability named GitLost, discovered by Sasi Levi at Noma Labs, disclosed July 6, 2026
    • Affects GitHub Agentic Workflows — the new feature that pairs GitHub Actions with an AI agent backed by Claude or GitHub Copilot
    • Attack vector: post a crafted issue on a public repo belonging to the target org; the AI agent reads it and posts private code as a public comment
    • Requires no credentials, no internal access, no coding skills
    • GitHub’s fix: documentation update only — The Register’s headline says it plainly: “there’s no fix”

    Table of Contents

    Toggle
    • What the GitLost Attack Actually Does
    • Why There Is No Code Fix
    • What This Means for Teams Using GitHub Agentic Workflows
    • What We Still Don’t Know
    • Frequently Asked Questions

    What the GitLost Attack Actually Does

    GitHub Agentic Workflows is a recently launched feature that lets engineering teams write CI/CD automation in plain-English Markdown instead of YAML. An AI agent — backed by either Claude or GitHub Copilot — reads the instructions, calls tools, and responds automatically. Because the agent has read access across both public and private repositories in the same organization, it can pull code from private repos and post responses as public comments.

    GitLost exploits exactly that design. An attacker posts a carefully worded GitHub Issue on any public repo belonging to the target organization. The AI agent, triggered by issue assignment, reads the crafted instructions and — treating them as legitimate operator commands — responds by posting private repository data as a public comment visible to anyone.

    The bypass technique is disarmingly simple: Noma’s researchers found that inserting the word “additionally” before the malicious instruction caused the model to reframe its output rather than refuse. No jailbreak chain, no multi-step social engineering — one word shifted the model’s behavior.

    Why There Is No Code Fix

    This is a classic indirect prompt injection: instead of attacking the AI model directly, the attacker poisons the content the agent reads. The model cannot reliably distinguish between legitimate instructions from its operator and malicious instructions embedded in a GitHub Issue submitted by an anonymous user.

    According to Noma’s disclosure: “Noma Labs discovered a critical prompt injection vulnerability within GitHub’s new Agentic Workflows, allowing an unauthenticated attacker to silently pull data from private repositories by posting a crafted GitHub Issue in a public repository belonging to the same organization as the private repositories.”

    Noma’s recommended mitigations are architectural, not software-level: scope agent permissions to the minimum required, never treat user-controlled content as trusted instruction input, restrict what an agent can post publicly, and isolate user input from the instruction context before it reaches the model. GitHub updated its documentation and removed the vulnerable workflow template from official docs. No CVE has been assigned as of publication.

    This connects to a broader pattern — AI-assisted vulnerability discovery is accelerating, and agentic systems with broad permissions are consistently the highest-risk surface.

    What This Means for Teams Using GitHub Agentic Workflows

    GitHub Agentic Workflows is opt-in — not all organizations are affected. If your organization has not configured the feature, you are not exposed. But if you have, the risk is active: any unauthenticated user who can open a public GitHub Issue in your organization’s repos can trigger the attack path.

    Practical steps for affected teams:

    • Audit your agent’s permissions immediately — restrict read access to only the repos the agent genuinely needs
    • Disable public commenting by the agent — if the agent cannot post public comments, the exfiltration path breaks
    • Treat every issue as potentially adversarial — never configure an agent to act on issue content without a human approval step
    • Review GitHub’s updated documentation — the removed template is gone but existing configurations built from it may persist

    The same architectural risk applies to every team building agentic workflows, whether on GitHub or elsewhere. Giving an AI agent broad read/write permissions across enterprise systems and then feeding it user-controlled content is the pattern that makes GitLost possible. Security teams reviewing AI security settings across their stack should treat permission scope as the primary control, not model-level content filtering.

    What We Still Don’t Know

    No confirmed real-world exploitation has been reported — GitLost was a researcher-disclosed vulnerability, not a breach. The number of organizations that have configured GitHub Agentic Workflows and are therefore exposed has not been published. It is also unknown whether GitHub is working on any architectural mitigation beyond the documentation change.

    💡 Our Take: GitHub’s “documentation update” response to a zero-credential, zero-skill private repo leak should worry every engineering team adopting agentic workflows. If your AI agent can read your codebase, assume every piece of content it processes is a potential attack vector — because that’s exactly how this worked. The “no fix possible in code” admission isn’t a GitHub problem, it’s an AI agent problem that will surface across every platform that gives agents broad permissions and user-controlled inputs.

    Frequently Asked Questions

    What is GitLost?

    GitLost is a prompt injection vulnerability in GitHub Agentic Workflows discovered by Sasi Levi at Noma Labs and disclosed on July 6, 2026. It allows an unauthenticated attacker to trick GitHub’s AI agent into posting private repository data as a public comment by embedding malicious instructions in a crafted GitHub Issue.

    Do I need credentials to perform the GitLost attack?

    No. The attack requires zero credentials, zero internal access, and zero coding skill from the attacker. The only requirement is the ability to open a GitHub Issue on any public repository belonging to the target organization — which is available to any GitHub account holder.

    Has GitHub patched the GitLost vulnerability?

    GitHub updated its documentation and removed the vulnerable workflow template from official docs, but issued no code-level patch. According to Noma’s research, prompt injection in AI agents cannot be completely fixed in software because the model cannot reliably distinguish legitimate operator instructions from malicious user-injected content. The Register’s coverage described this as “there’s no fix.”

    Which GitHub AI backends are affected — Claude or Copilot?

    According to Noma’s disclosure, GitHub Agentic Workflows supports both Claude and GitHub Copilot as AI backends. The vulnerability is in the workflow design, not the underlying model, so both backends are in scope. No specific claims about one backend being more vulnerable than the other appear in the verified sources.

    Is GitHub Agentic Workflows the same as GitHub Actions?

    No — GitHub Agentic Workflows is a newer feature that layers an AI agent on top of GitHub Actions, allowing teams to write automation in plain-English Markdown instead of YAML. The AI reads the instructions and executes them. Classic GitHub Actions workflows are not affected by GitLost.

    Last Updated: July 2026

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Amitabh Sarkar
    • Website

    I am a software engineer, I have a passion for working with cutting-edge technologies and staying up-to-date with the latest developments in the field. In my articles, I share my knowledge and insights on a range of topics, including business software, how to set up tools, and the latest trends in the tech industry.

    Related Posts

    Microsoft Patches 570 Flaws — Record Patch Tuesday, 3 Zero-Days

    July 15, 2026

    Cursor 0day: Cloning a Repo Can Hack Your Computer

    July 15, 2026

    Claude Fable 5 Rewrote Bun in Rust — 1 Million Lines for $165K

    July 15, 2026

    Comments are closed.

    Don't Miss
    Trending News

    Microsoft Patches 570 Flaws — Record Patch Tuesday, 3 Zero-Days

    By Amitabh SarkarJuly 15, 2026

    Microsoft’s July 2026 Patch Tuesday is the largest in company history: 570 vulnerabilities patched across…

    Cursor 0day: Cloning a Repo Can Hack Your Computer

    July 15, 2026

    Rippling vs Gusto vs BambooHR: Full HRMS Comparison 2026

    July 15, 2026

    Claude Fable 5 Rewrote Bun in Rust — 1 Million Lines for $165K

    July 15, 2026

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    Our Picks

    Rippling vs Gusto vs BambooHR: Full HRMS Comparison 2026

    July 15, 2026

    Best HRMS Software 2026: Top 10 HR Systems Compared

    July 8, 2026

    Best Ecommerce Platform 2026: Top 10 Options Compared

    July 5, 2026

    Hostinger vs Bluehost 2026: Which Cheap Host Wins?

    July 3, 2026
    Editors Picks

    Microsoft Patches 570 Flaws — Record Patch Tuesday, 3 Zero-Days

    July 15, 2026

    Cursor 0day: Cloning a Repo Can Hack Your Computer

    July 15, 2026

    Claude Fable 5 Rewrote Bun in Rust — 1 Million Lines for $165K

    July 15, 2026

    Grok 4.5 Is Here: SpaceXAI’s Opus-Class AI at a Fraction of the Price

    July 15, 2026
    About Us
    About Us

    Your Source for Innovation: Discover in-depth guides, solutions, and tools tailored to modern business challenges.

    Links
    • Blog
    • Privacy Policy
    • Contact WithO2.com
    • Terms and Conditions
    Facebook X (Twitter) Instagram Pinterest
    • About
    • Editorial Policy
    • Contact
    • Privacy Policy
    • Terms
    © 2026 WITHO2.COM

    Type above and press Enter to search. Press Esc to cancel.