Last updated: July 8, 2026 at 4:54 AM UTC
All 573 Vulnerability 206 Breach 108 Threat 252 Defense 7
Tag: agentic-workflows (1 article)Clear

A single GitHub issue can trick AI workflows into leaking private repository data

Researchers at Noma Labs showed that GitHub's new Agentic Workflows, which let an AI agent read issues and act on repositories automatically, can be tricked into leaking private code through nothing more than a public issue. The technique, GitLost, is indirect prompt injection: an attacker opens an ordinary-looking issue in an organization's public repository, buries plain-English instructions in it, and the agent, which often holds a token with read access across the org's repositories, follows them, fetches files from a private repo, and posts the contents in a public comment. No credentials, coding, or write access are needed. GitHub was notified, but researchers frame it as an architectural weakness.

Check
Review any GitHub Agentic Workflows or similar AI automations, and check whether their agents hold organization-wide or cross-repository read tokens while also processing untrusted content like public issues and pull requests.
Affected
Organizations using GitHub Agentic Workflows where the agent has broad cross-repository read access and reacts to public issues; an attacker can steer it into leaking private repository contents with one crafted issue.
Fix
Scope agent tokens to only the repositories a workflow needs, keep agents reading untrusted input away from private data, restrict which events trigger automation, and require human review before agents post publicly.