Public GitHub Issues Exploit Agentic Workflows to Leak Private Repository Data via Prompt Injection
An attacker can use a public GitHub issue to trick GitHub Agentic Workflows into pulling private repository contents and posting them publicly, leveraging a weakness in instruction parsing. This vulnerability, termed GitLost, demonstrates a structural flaw in how AI agents handle permissions, enabling data leakage through prompt injection.
A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have shown.
The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access to the organization. If that organization has given the agent read access across its repositories, private ones
*** END OF TRANSMISSION ***