A GitHub AI agent security flaw discovered by Noma Labs lets an unauthenticated attacker steal private repository data with zero credentials and zero coding skill — just a crafted GitHub Issue posted to any public repo in the same organization. GitHub’s response was a documentation update, not a code fix, because prompt injection in AI agents cannot be fully patched in software.

Key Facts
  • Vulnerability named GitLost, discovered by Sasi Levi at Noma Labs, disclosed July 6, 2026
  • Affects GitHub Agentic Workflows — the new feature that pairs GitHub Actions with an AI agent backed by Claude or GitHub Copilot
  • Attack vector: post a crafted issue on a public repo belonging to the target org; the AI agent reads it and posts private code as a public comment
  • Requires no credentials, no internal access, no coding skills
  • GitHub’s fix: documentation update only — The Register’s headline says it plainly: “there’s no fix”

What the GitLost Attack Actually Does

GitHub Agentic Workflows is a recently launched feature that lets engineering teams write CI/CD automation in plain-English Markdown instead of YAML. An AI agent — backed by either Claude or GitHub Copilot — reads the instructions, calls tools, and responds automatically. Because the agent has read access across both public and private repositories in the same organization, it can pull code from private repos and post responses as public comments.

GitLost exploits exactly that design. An attacker posts a carefully worded GitHub Issue on any public repo belonging to the target organization. The AI agent, triggered by issue assignment, reads the crafted instructions and — treating them as legitimate operator commands — responds by posting private repository data as a public comment visible to anyone.

The bypass technique is disarmingly simple: Noma’s researchers found that inserting the word “additionally” before the malicious instruction caused the model to reframe its output rather than refuse. No jailbreak chain, no multi-step social engineering — one word shifted the model’s behavior.

Why There Is No Code Fix

This is a classic indirect prompt injection: instead of attacking the AI model directly, the attacker poisons the content the agent reads. The model cannot reliably distinguish between legitimate instructions from its operator and malicious instructions embedded in a GitHub Issue submitted by an anonymous user.

According to Noma’s disclosure: “Noma Labs discovered a critical prompt injection vulnerability within GitHub’s new Agentic Workflows, allowing an unauthenticated attacker to silently pull data from private repositories by posting a crafted GitHub Issue in a public repository belonging to the same organization as the private repositories.”

Noma’s recommended mitigations are architectural, not software-level: scope agent permissions to the minimum required, never treat user-controlled content as trusted instruction input, restrict what an agent can post publicly, and isolate user input from the instruction context before it reaches the model. GitHub updated its documentation and removed the vulnerable workflow template from official docs. No CVE has been assigned as of publication.

This connects to a broader pattern — AI-assisted vulnerability discovery is accelerating, and agentic systems with broad permissions are consistently the highest-risk surface.

What This Means for Teams Using GitHub Agentic Workflows

GitHub Agentic Workflows is opt-in — not all organizations are affected. If your organization has not configured the feature, you are not exposed. But if you have, the risk is active: any unauthenticated user who can open a public GitHub Issue in your organization’s repos can trigger the attack path.

Practical steps for affected teams:

  • Audit your agent’s permissions immediately — restrict read access to only the repos the agent genuinely needs
  • Disable public commenting by the agent — if the agent cannot post public comments, the exfiltration path breaks
  • Treat every issue as potentially adversarial — never configure an agent to act on issue content without a human approval step
  • Review GitHub’s updated documentation — the removed template is gone but existing configurations built from it may persist

The same architectural risk applies to every team building agentic workflows, whether on GitHub or elsewhere. Giving an AI agent broad read/write permissions across enterprise systems and then feeding it user-controlled content is the pattern that makes GitLost possible. Security teams reviewing AI security settings across their stack should treat permission scope as the primary control, not model-level content filtering.

What We Still Don’t Know

No confirmed real-world exploitation has been reported — GitLost was a researcher-disclosed vulnerability, not a breach. The number of organizations that have configured GitHub Agentic Workflows and are therefore exposed has not been published. It is also unknown whether GitHub is working on any architectural mitigation beyond the documentation change.

💡 Our Take: GitHub’s “documentation update” response to a zero-credential, zero-skill private repo leak should worry every engineering team adopting agentic workflows. If your AI agent can read your codebase, assume every piece of content it processes is a potential attack vector — because that’s exactly how this worked. The “no fix possible in code” admission isn’t a GitHub problem, it’s an AI agent problem that will surface across every platform that gives agents broad permissions and user-controlled inputs.

Frequently Asked Questions

What is GitLost?

GitLost is a prompt injection vulnerability in GitHub Agentic Workflows discovered by Sasi Levi at Noma Labs and disclosed on July 6, 2026. It allows an unauthenticated attacker to trick GitHub’s AI agent into posting private repository data as a public comment by embedding malicious instructions in a crafted GitHub Issue.

Do I need credentials to perform the GitLost attack?

No. The attack requires zero credentials, zero internal access, and zero coding skill from the attacker. The only requirement is the ability to open a GitHub Issue on any public repository belonging to the target organization — which is available to any GitHub account holder.

Has GitHub patched the GitLost vulnerability?

GitHub updated its documentation and removed the vulnerable workflow template from official docs, but issued no code-level patch. According to Noma’s research, prompt injection in AI agents cannot be completely fixed in software because the model cannot reliably distinguish legitimate operator instructions from malicious user-injected content. The Register’s coverage described this as “there’s no fix.”

Which GitHub AI backends are affected — Claude or Copilot?

According to Noma’s disclosure, GitHub Agentic Workflows supports both Claude and GitHub Copilot as AI backends. The vulnerability is in the workflow design, not the underlying model, so both backends are in scope. No specific claims about one backend being more vulnerable than the other appear in the verified sources.

Is GitHub Agentic Workflows the same as GitHub Actions?

No — GitHub Agentic Workflows is a newer feature that layers an AI agent on top of GitHub Actions, allowing teams to write automation in plain-English Markdown instead of YAML. The AI reads the instructions and executes them. Classic GitHub Actions workflows are not affected by GitLost.


Share.

I am a software engineer, I have a passion for working with cutting-edge technologies and staying up-to-date with the latest developments in the field. In my articles, I share my knowledge and insights on a range of topics, including business software, how to set up tools, and the latest trends in the tech industry.

Comments are closed.

Exit mobile version