SECURITY
SECURITY
SECURITY
Researchers at artificial intelligence security company Noma Security Inc. today disclosed a critical prompt injection vulnerability in GitHub Inc.’s new Agentic Workflows feature that allowed an unauthenticated attacker to siphon data from private code repositories by posting a single crafted issue in a public one.
Named GitLost, the vulnerability was found by Noma Labs, the company’s research arm. It targeted GitHub Agentic Workflows, a feature the Microsoft Corp.-owned company built to automate repository tasks with artificial intelligence. The workflows live in plain Markdown and compile down to GitHub Actions, its system for running jobs when something happens in a repository.
Behind them sits an AI agent that runs on either Anthropic PBC’s Claude or GitHub Copilot. It reads incoming issues and acts on them and no human signs off first.
GitLost works through indirect prompt injection. An attacker buries hostile instructions in content the agent reads and the model follows them as though they came from its operator. Pulling it off took no coding skill and no account on the target. The attacker opened an issue in a public repository owned by an organization that runs a vulnerable workflow, then waited.
Noma said the workflow it tested was configured to trigger when an issue was assigned, read the issue title and body, post a comment in response and run with read access to other public and private repositories in the organization. Hidden in the body of a plausible-looking issue, framed as a request from a sales executive, were plain-English commands for the agent to follow.
Once GitHub automation assigned the issue, the agent fetched the contents of README files from both a public and a private repository, then posted them as a public comment that anyone on the internet could read. In its proof of concept, Noma exfiltrated the README from a private repository along with one from a public repository. A third public repository was targeted in the same run but held no README to leak.
GitHub had guardrails in place meant to stop exactly that behavior, but Noma found they could be defeated. Adding the word “additionally” to the injected instructions caused the model to reframe its output rather than refuse the request, quietly bypassing the protections. The technique echoes Noma’s “GrafanaGhost” research in April, in which specific keywords similarly tricked a model into processing malicious instructions it should have blocked.
“It is becoming a bigger issue now because, if you don’t properly limit its tools and capabilities, it can rapidly execute instructions from a malicious party without you ever knowing,” Mariano Fuentes, co-founder of compliance automation startup Comp AI, told SiliconANGLE via email. “The attacker can prompt the LLM to not verbally acknowledge what it’s going to do and therefore it silently executes the instructions without the victim ever knowing.”
The finding underscores a structural problem with agentic systems: the agent’s context window doubles as its attack surface. Any issue, pull request, comment or file the agent reads can be weaponized if the model treats that content as instructions. Prompt injection, Noma argues, has become to agentic AI what SQL injection was to web applications, a systematic vulnerability class that demands systematic defenses.
Noma recommended that builders never treat user-controlled content as trusted instruction input, scope agent permissions to the minimum required, restrict what an agent can post publicly and isolate user input from the instruction context before it reaches the model.
For Fuentes, the fix comes down to control over what an agent is allowed to do. “They need to have a careful review about what the LLMs can do with these internal systems, what permissions the LLM has and if it requires human verification for sensitive actions,” he said. Companies, he added, “should always question if it’s necessary that the LLM make that call for them.”
GitLost was responsibly disclosed to GitHub and detailed publicly with the company’s knowledge.
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.