An attacker opens a normal-looking issue on your public repo. No stolen credentials. No access to your organization. But your private repository contents end up in a public comment anyway.
That’s GitLost — a technique demonstrated by Noma Security researchers. The target is GitHub Agentic Workflows, a feature still in public preview. Instead of writing automation scripts, you give an AI agent plain English instructions in a Markdown file. The agent reads issues, runs tools, and replies on its own. It can use Copilot, Claude, Gemini, or Codex.
Here’s how it works. If your organization gave the agent a token with read access across repos — including private ones — the attacker just needs to embed hidden instructions inside an issue. The agent can’t tell the difference between instructions from its owner and instructions hidden in the content it reads.
In Noma’s proof of concept, the malicious issue looked like a routine request from a VP of Sales. The workflow was set to wake when an issue gets assigned, read it, and reply with a comment. Once a routine automation assigned the issue, the agent pulled a private repo’s README and pasted it into a public comment.
GitHub has guardrails. The company warns about prompt injection in its own docs. The product ships with sandboxing, read-only tokens by default, input cleaning, and a threat-detection step that scans output before posting. Noma found that a one-word prefix — “Additionally” — was enough to slip past. The model treated it as a follow-on task rather than something to refuse.
What makes GitLost different from earlier prompt injection demos? “Earlier examples were largely about manipulating what an agent said,” says Sasi Levi at Noma. “GitLost is about manipulating what an agent does with its permissions.” The agent is a credentialed actor inside your infrastructure, not a chat window.
Levi calls it the lethal trifecta: an agent that can reach private data, takes in untrusted outside content, and has a way to send data out. Combine all three, and you have a leak path. No patch is going to fully fix this — it’s a structural consequence of giving AI agents standing credentials while having them read attacker-reachable text.
