GitHub Agentic Workflows Vulnerable to Prompt Injection Attacks Leaking Private Repository Data
Key Takeaways
- ▸Attackers can exploit GitHub's Agentic Workflows with zero credentials or technical access—only the ability to create a public issue in an organization's repository
- ▸The vulnerability allows extraction and public exposure of data from private repositories, making it a critical data exfiltration risk for enterprises with mixed public/private repo structures
- ▸Prompt injection flaws in AI agents cannot be completely fixed in code and require organizational discipline around API key sharing and access control—a human and process problem, not just a technical one
Summary
Noma Labs security researchers discovered a critical vulnerability in GitHub's Agentic Workflows that allows attackers to manipulate AI agents into exfiltrating data from private repositories. The flaw, dubbed "GitLost," exploits prompt injection by hiding malicious commands in plain English within GitHub issues. When an AI agent processes the issue, it interprets these hidden commands as legitimate instructions, fetching sensitive data from private repositories and posting it publicly as a comment for anyone to access.
The vulnerability requires no special access, credentials, or coding skills—an attacker simply creates an issue in any public repository within an organization and waits for the AI agent to execute the malicious prompt. Once the private data is retrieved, the agent posts it as a public comment. The attack is particularly concerning because GitHub's Agentic Workflows grant AI agents broad access across both public and private repositories within an organization, with no code-based method to distinguish sensitive from public data.
Despite disclosing the vulnerability to GitHub and publishing detailed proof-of-concept attacks and reproduction workflows, Noma Labs found that GitHub has neither implemented a code-based fix nor added the proposed documentation warnings that researchers recommended. GitHub has not responded to inquiries about the issue, leaving organizations using Agentic Workflows unaware of the data exfiltration risks.
- GitHub has implemented no remediation despite public disclosure, suggesting AI feature velocity is outpacing security response in the industry
Editorial Opinion
This vulnerability exposes a critical blind spot in autonomous AI agent deployment: the more system access and cross-repository capabilities we grant these agents, the larger the blast radius of any prompt injection exploit becomes. GitHub's complete lack of response—no fix, no documentation, no public acknowledgment—is deeply troubling and suggests that AI product velocity is overtaking security rigor. Organizations must recognize that deploying autonomous agents without rigorous access controls, monitoring, and secret compartmentalization is essentially gambling that prompt injection attacks will never reach their systems.


