Noma Reveals GitLost Flaw Leaking Private Repositories Noma Labs disclosed a vulnerability called GitLost that exploits GitHub Agentic Workflows via indirect prompt injection, allowing an AI agent to read private repositories and post contents as public issue comments. The attack requires no stolen credentials and only a public GitHub Issue, raising concerns about AI agent security in CI/CD pipelines. Agentic automation that pairs credentialed CI/CD tokens with freeform natural-language input creates a new, practical exfiltration surface. Noma Labs disclosed a vulnerability dubbed "GitLost" that uses an indirect prompt injection to make a GitHub AI agent read from private repositories and publish the results as a public issue comment, according to Noma's blog post and coverage by The Register and DarkReading. The flaw targets GitHub Agentic Workflows , which let an AI agent operate inside workflows using tools and tokens; Noma's proof of concept required only creating a public GitHub Issue, the researchers say. Reporting also notes the exploit needs no stolen credentials and that Noma published proofs and indicators; The Register reported GitHub had not yet added guidance or documentation.