{"id":8681,"date":"2026-07-08T12:14:01","date_gmt":"2026-07-08T12:14:01","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8681"},"modified":"2026-07-08T12:14:01","modified_gmt":"2026-07-08T12:14:01","slug":"github-ai-agent-leaks-private-repositories-via-prompt-injection-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8681","title":{"rendered":"GitHub AI agent leaks private repositories via prompt injection attack"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A prompt injection attack can trick GitHub\u2019s preview Agentic Workflows into retrieving content from private repositories and publishing it publicly, exposing a broader risk as enterprises deploy AI agents with privileged access to software development environments, according to new research from Noma Security.<\/p>\n<p>The AI security company detailed the attack, dubbed GitLost, in a <a href=\"https:\/\/noma.security\/blog\/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, saying an unauthenticated attacker could exploit GitHub\u2019s preview Agentic Workflows by submitting a crafted GitHub issue to a public repository. If the AI agent has read access to private repositories within the same organization, it can retrieve sensitive information and publish it in a public comment, the company said.<\/p>\n<p>GitHub Agentic Workflows combine GitHub Actions with AI models such as Claude or GitHub Copilot, allowing developers to define workflows in Markdown. At the same time, AI agents read issues, invoke tools, and perform tasks on their behalf.<\/p>\n<p>\u201cWhat will happen when the GitHub agent reads something it should not trust?\u201d Noma researcher Sasi Levi wrote. \u201cThe answer is a textbook indirect prompt-injection attack, the kind of attack that quietly sends private data to anyone on the internet.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Public GitHub issue became the attack vector<\/h2>\n<p>According to Noma, the attack did not rely on stolen credentials, malware, or software vulnerabilities. Instead, an attacker embedded hidden instructions within a GitHub Issue submitted to a public repository.<\/p>\n<p>Because the AI agent interpreted the issue as instructions rather than untrusted content, it accessed a private repository and posted its contents back to the public issue, the blog post added.<\/p>\n<p>\u201cThe root cause of the GitLost vulnerability is, by now, a familiar one in agentic AI systems: prompt injection,\u201d Levi wrote. \u201cIn this specific case, any malicious actor can create a GitHub Issue and, in the issue body, hide commands in plain English that GitHub\u2019s agent will follow.\u201d<\/p>\n<p>To demonstrate the attack, the researchers created what appeared to be a routine GitHub Issue requesting documentation updates. Once the workflow was triggered, the AI agent retrieved the README file from a private repository and published its contents in a publicly visible comment.<\/p>\n<p>The researchers also said they bypassed GitHub\u2019s prompt-based guardrails by making a minor wording change that caused the AI agent to comply with instructions it had previously rejected.<\/p>\n<p>GitHub did not immediately respond to a request for comment.<\/p>\n<h2 class=\"wp-block-heading\">Research points to a broader AI agent risk<\/h2>\n<p>Noma said GitLost illustrates a broader architectural challenge for AI agents rather than a flaw unique to GitHub.<\/p>\n<p>\u201cThe issue is not that GitHub\u2019s AI agent is unusually insecure,\u201d Levi wrote. \u201cThe issue is that any AI agent with access to both untrusted external content and sensitive internal resources can become an unintended bridge between the two if trust boundaries are not enforced.\u201d<\/p>\n<p>Independent cybersecurity researcher and red teamer Vibhum Dubey said the findings expose a more fundamental issue than prompt injection alone.<\/p>\n<p>\u201cThis isn\u2019t prompt injection in the abstract\u2014this is GitHub shipping agent permissions before shipping agent security,\u201d Dubey said. \u201cThe vulnerability exposes that AI agents operate on a service account permission model, not a user permission model. That\u2019s an architectural assumption security teams made before considering LLMs as an attack vector.\u201d<\/p>\n<p>According to Dubey, the prompt injection itself is almost secondary.<\/p>\n<p>\u201cWhat\u2019s dangerous is that trust boundaries exist in GitHub\u2019s data model but nowhere in the agent\u2019s execution context,\u201d he said. \u201cThe agent doesn\u2019t \u2018know\u2019 a repository is private. It just sees \u2018accessible.\u2019 As more organizations deploy agents, we\u2019re accumulating these invisible permission gaps.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Experts urge tighter controls on AI agents<\/h2>\n<p>Dubey said organizations should rethink how AI agents are granted permissions rather than treating the issue primarily as a monitoring challenge.<\/p>\n<p>\u201cThree concrete fixes: Agents get explicit repository whitelists, not broad service account access. All user inputs, including commit messages, PR descriptions, and issues, should be validated before reaching the LLM. And have an emergency kill-switch ready,\u201d he said. \u201cMost teams can disable a compromised API key. Can you disable a rogue agent?\u201d<\/p>\n<p>Dubey said GitLost demonstrates how AI agents can effectively become an insider threat once granted broad organizational access.<\/p>\n<p>\u201cThe brilliance of GitLost isn\u2019t that it fooled an AI. It\u2019s that it weaponized GitHub\u2019s assumption that service accounts are trustworthy,\u201d he said. \u201cAgents were explicitly built to bypass human judgment and operate autonomously. That\u2019s exactly why they\u2019re dangerous: we normalized cross-boundary operations the moment we automated them.\u201d Noma also recommended applying least-privilege access controls, limiting AI agents\u2019 cross-repository access, and treating GitHub Issues, pull requests, and comments as untrusted input.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A prompt injection attack can trick GitHub\u2019s preview Agentic Workflows into retrieving content from private repositories and publishing it publicly, exposing a broader risk as enterprises deploy AI agents with privileged access to software development environments, according to new research from Noma Security. The AI security company detailed the attack, dubbed GitLost, in a blog [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8682,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8681","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8681"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8681"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8681\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8682"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}