system: OPERATIONAL
← back to all hacks
INDIRECT INJECTION CRITICAL NEW

GitLost: a public issue can make a GitHub agentic workflow leak private repos

Noma Security showed on July 7, 2026 that one public issue can steer a GitHub Agentic Workflow holding org-wide read access into pasting private repository contents into a public comment — no credentials needed.

2026-07-13 // 6 min affects: github-agentic-workflows, github-copilot, claude, gemini, openai-codex

What is this?

On July 7, 2026, researchers at Noma Security published GitLost, a technique that turns an ordinary public issue into a channel for exfiltrating an organization’s private source code. The target is GitHub Agentic Workflows, a feature that entered technical preview in February 2026 and lets teams replace scripted automation with plain-English Markdown instructions to an AI agent — backed by GitHub Copilot, Anthropic’s Claude, Google Gemini, or OpenAI Codex — that reads issues and pull requests, calls tools, and replies on its own.

The finding was reported by The Hacker News and The Register the same day. Noma disclosed it to GitHub and published with the company’s knowledge. There is no CVE: as the researchers frame it, this is a structural consequence of how these agents are wired, not a coding defect a single patch closes.

How it works

The mechanism is indirect prompt injection. An LLM agent cannot reliably distinguish instructions from its operator from instructions embedded in the untrusted content it happens to read. Agentic Workflows are read-only by default, but an organization can hand a workflow a personal access token with read access across its repositories — private ones included — to give the agent cross-repo context. That grant is what GitLost weaponizes.

In Noma’s proof of concept, the attacker opens a normal-looking issue on a public repository in the target organization. The issue body is dressed up as a routine request — in the demo, a message from a “VP of Sales” after a customer meeting — with hidden instructions telling the agent to fetch content from a private repository and post it back. A routine automation assigns the issue, the workflow wakes up, reads the issue, follows the planted instructions, and pastes a private repository’s README into a public comment on that same issue.

GitHub anticipated exactly this class of abuse: its documentation warns that agents “can be manipulated by prompt injection,” and the product ships sandboxing, read-only defaults, input cleaning, and a threat-detection step that scans an agent’s proposed output before it posts. Noma reported that a one-word change slipped past that backstop: prefixing the malicious instruction with “Additionally” led the model to treat it as a legitimate follow-on task rather than something to refuse, and the guardrail let the output through.

Why it matters

What sets GitLost apart from earlier prompt-injection demos is what the attacker controls. Earlier examples mostly manipulated what an agent said; here the attacker manipulates what a credentialed agent does with its permissions. The agent is not a chat window — it is an actor sitting inside CI/CD-adjacent infrastructure with read access spanning repositories the attacker cannot see. The attack touches no server, needs no stolen credentials, and requires no write access. Opening a public issue is enough.

The setup is a textbook instance of Simon Willison’s lethal trifecta: an agent that can reach private data, ingests untrusted external content, and has a way to send data out. Combine all three and you have a leak path, and what an attacker can pull depends entirely on the token’s scope — proprietary source, internal keys, design documents, or CI/CD secrets. GitLost is the latest in a run of the same pattern, alongside the Claude Code GitHub Action bot-actor flaw and the cross-vendor Comment and Control credential-exfiltration technique — and, like those, it keeps getting filed under “architectural limitation” because natural language has no clean data-versus-instruction boundary to enforce.

Defenses

Noma’s mitigations are about scope and architecture, not better filtering:

  • Scope the token to one repository, not the org. The cross-repo read access comes from a PAT the organization configures. An agent token scoped to the single repository it triages is far less dangerous than one granted broad org-wide read for convenience. This is the highest-leverage control.
  • Constrain what a public-facing workflow can post. Writes flow through declared safe outputs, and the public comment is the exfiltration channel — limit it. Break the trifecta’s “send data out” leg wherever the agent reads untrusted input.
  • Restrict whose content the agent acts on, and gate agent outputs behind human review before anything posts publicly.
  • Isolate untrusted input from the instruction context before it reaches the model, and treat the built-in threat-detection scan as a backstop, not a boundary — the “Additionally” bypass shows a filter is not a trust boundary.
  • Audit which workflows combine the trifecta: untrusted public input, private read access, and public output. Any one of the three removed closes the specific leak path.

Status

ItemValue
TechniqueGitLost — indirect prompt injection in GitHub Agentic Workflows
Disclosed byNoma Security (Noma Labs)
Publication dateJuly 7, 2026
CVENone — structural / architectural limitation
AffectedAgentic Workflows setups reading untrusted public input, holding private read access, able to post publicly
Backported guardrailGitHub threat-detection scan bypassed via a one-word (“Additionally”) prefix
Vendor statusResponsibly disclosed to GitHub; published with GitHub’s knowledge

Key dates: February 13, 2026 — GitHub Agentic Workflows enter technical preview. July 7, 2026 — Noma Security publishes GitLost.

Sources