anagnorisis.cloudSign in

← Hourlies

Hourly ·

Prompt Injection in GitHub's New AI Agent Lets Anyone Extract Private Code

Noma Labs researchers discovered a critical vulnerability in GitHub's Agentic Workflows — a single crafted issue can trick the AI agent into leaking private repository contents to the public.

Prompt Injection in GitHub's New AI Agent Lets Anyone Extract Private Code

Security researchers at Noma Labs have uncovered a critical vulnerability in GitHub's newly launched Agentic Workflows feature, demonstrating how a single carefully worded issue can trick the AI agent into exfiltrating private repository data and posting it publicly.

The attack, which researchers named GitLost, requires no credentials, no coding skills, and no access beyond the ability to open an issue in any public repository belonging to an organization that uses GitHub's Agentic Workflows. The AI agent reads the issue, follows hidden natural-language instructions embedded in the text, and silently pulls files from private repositories — then posts them as a public comment visible to anyone.

The vulnerability exploits prompt injection, a class of attack where malicious instructions are hidden inside content that an AI agent treats as trusted input. In this case, the GitHub agent was configured to trigger on issue assignment events, read the issue body, and respond with a comment — all while holding read access to both public and private repositories in the same organization.

Researchers found that GitHub had guardrails intended to prevent exactly this scenario, but they proved insufficient. By adding the keyword "Additionally" to the prompt injection payload, the model reframed its output rather than refusing, bypassing the safeguards entirely.

The leaked data in the proof of concept included README files from both public and private repositories, demonstrating that the attack works across repository visibility boundaries.

Noma Labs disclosed the vulnerability responsibly to GitHub before publication. The finding highlights a broader challenge: in agentic AI systems, the agent's context window is also its attack surface. Any content the agent reads — issues, pull requests, comments, or files — can be weaponized if the system treats that content as instructional input.

Sources: Noma Security

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More from Anagnorisis