A recently uncovered security flaw known as ‘GitLost’ reveals a method by which attackers can exploit GitHub’s AI-powered workflows to publicly expose private repository data. This vulnerability can be leveraged through a simple GitHub Issue, requiring no special credentials or technical skills for execution.
Understanding GitHub’s Agentic Workflows
GitHub’s Agentic Workflows combine GitHub Actions with AI agents like Claude or GitHub Copilot, enabling teams to create automation scripts in Markdown that convert into YAML Actions files. These agents are capable of reading issues, utilizing tools, posting comments, and accessing repositories based on permissions set within an organization, without needing human oversight for each action.
The GitLost vulnerability arises from an indirect prompt-injection flaw. As identified by Noma Labs, a specific workflow was designed to activate on issue assignments, process the issue’s title and content, respond through a commenting tool, and access both public and private repositories.
Exploiting the GitLost Vulnerability
Due to the agent’s inability to differentiate between secure system instructions and user-generated content, attackers could insert plain-English commands in an issue’s body, prompting the agent to execute them. Noma Labs demonstrated this by crafting an issue that appeared as a legitimate request from a ‘VP of Sales,’ which, when assigned, triggered the agent to compile and release README.md files from both public and private repositories.
This exploit was further facilitated by the inclusion of the word ‘Additionally’ in prompts, which bypassed existing safeguards and reframed the model’s responses. Such linguistic manipulations were sufficient to circumvent protection measures intended to prevent data leaks.
Implications and Defensive Measures
The GitLost scenario highlights a fundamental vulnerability in agentic AI systems: the dual nature of the model’s context window as an attack surface. Content processed by an agent, such as issues or comments, can be misinterpreted as commands if not properly managed.
Experts draw parallels between the role of prompt injection in AI security and SQL injection in web security, urging the need for systemic defenses. To mitigate such risks, it is crucial to never treat user-controlled input as reliable instruction, limit agent permissions, and restrict public disclosures by agents. Additionally, isolating or sanitizing user inputs before processing can prevent unintended actions.
Noma Labs responsibly disclosed the GitLost vulnerability to GitHub, emphasizing the need for updated security protocols in AI-driven environments.
