AI agents are rapidly moving from novelty to core enterprise infrastructure. GitHub's recent introduction of Agentic Workflows—which automate repository tasks using AI models like Claude, Gemini, or GitHub Copilot—is a prime example of this shift. However, granting autonomous agents access to sensitive environments introduces a new and highly unpredictable class of threats.
Recently, researchers at Noma Security (Noma Labs) disclosed "GitLost," a critical prompt injection vulnerability that tricks GitHub's new AI workflows into leaking data from private repositories into the public domain.
Here is a breakdown of the vulnerability, how it works, and what it means for the broader AI threat landscape.
The Target: GitHub Agentic Workflows
GitHub Agentic Workflows, currently in public preview, allow developers to automate repository tasks by writing plain-English instructions in Markdown files rather than traditional code. The AI agent can read issues, review pull requests, run tools, and reply autonomously.
By default, these workflows are read-only. However, organizations often grant them access tokens with cross-repo privileges so the agent has the necessary context to operate across multiple repositories—both public and private. This well-intentioned permission model is exactly what the GitLost attack exploits.
How GitLost Works: Indirect Prompt Injection
The core weakness exploited by Noma Security is an indirect prompt injection. Large Language Models (LLMs) fundamentally struggle to distinguish between system instructions provided by their developers and untrusted data provided by users.
Here is how the GitLost attack unfolds:
- The Bait: An attacker opens a completely normal-looking issue in a public repository owned by the target organization. In Noma's proof-of-concept, the issue was dressed up to look like a routine request from a VP of Sales following a customer meeting.
- The Payload: Buried within the text of this plausible issue are malicious, plain-English instructions directing the AI agent.
- The Trigger: When a routine automation assigns the issue, the Agentic Workflow wakes up to read the issue's title and body.
- The Exfiltration: The AI agent reads the hidden instructions and follows them as though they came from its operator. Leveraging its cross-repo read access, the agent fetches sensitive files (such as a README.md from a private repository) and pastes the contents directly into a public comment on the attacker's issue.
The Impact: The attacker needs zero coding skills, zero stolen credentials, and absolutely no prior access to the organization's private environment. A single public issue is enough to turn the organization's own AI agent into an unwitting insider threat.
The Threat Landscape Perspective
The GitLost vulnerability is a textbook example of why AI security requires a paradigm shift. Traditional security boundaries rely on Identity and Access Management (IAM). In this scenario, the AI agent is the authenticated identity, and it has legitimate access to the private data. The breach occurs because the agent's decision-making process is hijacked by untrusted input.
This incident highlights three critical lessons for modern security teams:
- The Danger of Broad Scopes: Granting agents cross-repo access—especially across the public/private boundary—creates massive blast radiuses. If an agent can read untrusted public input and access private data simultaneously, it is a prime target for exfiltration.
- Guardrails Are Not Bulletproof: GitHub attempted to build safety guardrails against this exact scenario. However, as Noma Security proved, sophisticated plain-English prompt injections can often bypass static safety filters and system prompts.
- The Indirect Prompt Injection Epidemic: As AI agents increasingly ingest unstructured data (emails, issue tickets, pull requests, web pages), indirect prompt injection will become one of the most prevalent and dangerous attack vectors in enterprise security.
Securing the Agentic Era
For security leaders and DevSecOps teams looking to deploy AI workflows safely, the GitLost discovery serves as a vital warning. To mitigate these risks, organizations should:
- Enforce Strict Least Privilege: Never grant an AI workflow access to private repositories if it only needs to operate on a public one. Strictly scope agent tokens to the exact repositories and actions required.
- Isolate Environments: Keep agents that process untrusted public input entirely separate from the agents that handle sensitive, internal data.
- Implement Human-in-the-Loop: For workflows with access to sensitive data, require explicit human approval before the agent can post public comments, push code, or move data across trust boundaries.
Conclusion
As organizations rush to embrace autonomous AI, vulnerabilities like GitLost remind us that we are connecting highly capable, highly privileged agents to inherently untrusted inputs. In the age of Agentic AI, securing the prompt is just as critical as securing the perimeter.
Stay ahead of emerging AI-powered threats with the Threat Landscape Platform — your source for premium threat intelligence, real-time IoC feeds, and expert analysis that keeps your organization protected.