GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos
What happened
Noma Security researchers disclosed GitLost on July 7, 2026 — a critical prompt injection vulnerability in GitHub Agentic Workflows, which lets AI agents (Claude or GitHub Copilot) autonomously execute tasks in GitHub Actions. An attacker with no credentials could create a public issue with hidden plain-English instructions; the AI agent would follow them and post private repository file contents as a public comment visible to anyone.
Context and impact
This attack class — prompt injection into an AI agent's input context — represents a systemic risk for all agentic AI systems that do not enforce trust boundaries between trusted instructions and untrusted user-generated content. GitHub was notified before publication.
Details
- Attack type: prompt injection via GitHub Issue (plain English, no code needed)
- Affected system: GitHub Agentic Workflows (Claude / GitHub Copilot)
- Impact: exfiltrate files from private repos in the same organization via public comments
- Prerequisite: organization must have Agentic Workflows configured to process issues
- Attacker requirement: zero — just open an issue in any public org repository
- Disclosure: coordinated with GitHub before publication
Open original source
Noma Security