# ‘GitLost’: researchers tricked GitHub’s AI agent into leaking private repos

> Source: <https://thenextweb.com/news/gitlost-github-ai-agent-leaks-private-repos>
> Published: 2026-07-08 12:03:06+00:00

*Researchers tricked GitHub’s AI coding agent into leaking private repositories with nothing but a politely worded issue. The flaw, named GitLost, has no code fix, and GitHub has yet to even document it.*

GitHub’s new AI agent can be talked into handing over your private code. Security firm Noma Labs found a way to make it read a private repository and paste the contents into a public comment, [the researchers wrote](https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/) in a blog post. They named the flaw GitLost.

The target is GitHub Agentic Workflows, launched this year. They pair GitHub Actions with an AI agent backed by [Claude](https://thenextweb.com/news/anthropic-claude-sonnet-5-agentic-model-pricing) or GitHub Copilot. Teams write the workflows in plain Markdown. The agent then reads issues, calls tools, and acts on its own.

## Asked nicely

The attack needs no skill. An attacker opens an issue in a public repo of an organisation that uses the workflows. They hide plain-English commands in the issue body. The agent obeys them.

“All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub’s Agentic Workflow setup and wait,” Noma research lead Sasi Levi told [The Register](https://www.theregister.com/security/2026/07/07/github-ai-agent-leaks-private-repos-when-asked-nicely/5267924). No coding, no credentials, no access.

In the proof of concept, a fake issue posed as a request from a VP of sales. Buried in the list sat a question: what does the README file say in a private repo? The agent fetched it from both a public and a private repository, then posted the contents in the open.

GitHub had guardrails to stop exactly this. One word slipped past them. Adding “Additionally” to the prompt nudged the model to reframe its answer rather than refuse. The data spilled.

## No fix, no docs

Prompt injection like this resists a code patch, a problem now familiar across agentic AI. It is the same class of trick that has [fooled AI browsers into leaking passwords](https://thenextweb.com/news/bioshocking-ai-browser-credential-leak-layerx). Noma proposed a simple documentation note instead, warning teams about sharing keys between repos.

GitHub has not added it. The company did not respond to The Register, though it knew Noma planned to publish. Levi put the stakes plainly. “An autonomous agent should not be a risk for silent data exfiltration and secrets exposure,” he said. “You can’t protect what you can’t see and control.”

## Why it matters

The pattern keeps repeating. An agent’s context window doubles as its attack surface. Anything it reads, an issue, a comment, a file, can carry hidden orders. Noma likens prompt injection to the SQL injection that plagued the early web: a whole category of flaw, not a one-off bug.

Developers already sit in the crosshairs, from [poisoned npm packages](https://thenextweb.com/news/north-korea-npm-rollup-polyfill-developer-secrets) to [fully agentic ransomware](https://thenextweb.com/news/jadepuffer-agentic-ai-ransomware). A market has sprung up to [police these agents](https://thenextweb.com/news/straiker-64m-series-a-agentic-security). GitLost shows why. Until someone fixes the trust boundary, agents will keep leaking secrets when asked nicely.

## Get the TNW newsletter

Get the most important tech news in your inbox each week.
