cd /news/ai-safety/gitlost-researchers-tricked-githubs-… · home topics ai-safety article
[ARTICLE · art-51172] src=thenextweb.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

‘GitLost’: researchers tricked GitHub’s AI agent into leaking private repos

Security firm Noma Labs discovered a prompt injection vulnerability, named GitLost, in GitHub's Agentic Workflows that allows attackers to trick the AI agent into leaking private repository contents into public comments. The flaw requires no technical skill—an attacker simply opens an issue with plain-English commands—and GitHub has not yet documented or fixed the issue, highlighting a broader class of AI security risks.

read2 min views1 publishedJul 8, 2026
‘GitLost’: researchers tricked GitHub’s AI agent into leaking private repos
Image: Thenextweb (auto-discovered)

Researchers tricked GitHub’s AI coding agent into leaking private repositories with nothing but a politely worded issue. The flaw, named GitLost, has no code fix, and GitHub has yet to even document it.

GitHub’s new AI agent can be talked into handing over your private code. Security firm Noma Labs found a way to make it read a private repository and paste the contents into a public comment, the researchers wrote in a blog post. They named the flaw GitLost.

The target is GitHub Agentic Workflows, launched this year. They pair GitHub Actions with an AI agent backed by Claude or GitHub Copilot. Teams write the workflows in plain Markdown. The agent then reads issues, calls tools, and acts on its own.

Asked nicely #

The attack needs no skill. An attacker opens an issue in a public repo of an organisation that uses the workflows. They hide plain-English commands in the issue body. The agent obeys them.

“All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub’s Agentic Workflow setup and wait,” Noma research lead Sasi Levi told The Register. No coding, no credentials, no access.

In the proof of concept, a fake issue posed as a request from a VP of sales. Buried in the list sat a question: what does the README file say in a private repo? The agent fetched it from both a public and a private repository, then posted the contents in the open.

GitHub had guardrails to stop exactly this. One word slipped past them. Adding “Additionally” to the prompt nudged the model to reframe its answer rather than refuse. The data spilled.

No fix, no docs #

Prompt injection like this resists a code patch, a problem now familiar across agentic AI. It is the same class of trick that has fooled AI browsers into leaking passwords. Noma proposed a simple documentation note instead, warning teams about sharing keys between repos.

GitHub has not added it. The company did not respond to The Register, though it knew Noma planned to publish. Levi put the stakes plainly. “An autonomous agent should not be a risk for silent data exfiltration and secrets exposure,” he said. “You can’t protect what you can’t see and control.”

Why it matters #

The pattern keeps repeating. An agent’s context window doubles as its attack surface. Anything it reads, an issue, a comment, a file, can carry hidden orders. Noma likens prompt injection to the SQL injection that plagued the early web: a whole category of flaw, not a one-off bug.

Developers already sit in the crosshairs, from poisoned npm packages to fully agentic ransomware. A market has sprung up to police these agents. GitLost shows why. Until someone fixes the trust boundary, agents will keep leaking secrets when asked nicely.

Get the TNW newsletter #

Get the most important tech news in your inbox each week.

── more in #ai-safety 4 stories · sorted by recency
── more on @github 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/gitlost-researchers-…] indexed:0 read:2min 2026-07-08 ·