‘GitLost’: Researchers Trick GitHub’s AI Agent into Leaking Private Repositories
Researchers from Noma Labs have discovered a vulnerability in GitHub’s new AI coding agent, which they’ve named "GitLost." The flaw allows the AI to be tricked into revealing private repository contents through a carefully worded issue.
July 8, 2026 – 12:03 pm
GitHub’s AI agent can be manipulated to share private code with public issues. Noma Labs demonstrated this by making the agent read a private repository and post its contents in a public comment, using nothing but polite language.
The target is GitHub’s Agentic Workflows, which combine GitHub Actions with AI agents like Claude or GitHub Copilot. While teams write workflows in plain Markdown, the AI agent handles issues, calls tools, and acts autonomously.
The Attack:
The attack requires no specialized skills. An attacker simply opens an issue in a public repository belonging to an organization using Agentic Workflows. Hidden within the issue body are plain-English commands that the agent follows.
"All that was needed was to open an issue in a public repository… and wait," said Sasi Levi, Noma research lead, according to The Register.
Exploiting the Flaw:
In their proof of concept, a fake issue posed as a request from a VP of sales, containing a seemingly innocuous question: "What does the README file say in a private repo?" The AI agent retrieved the README from both public and private repositories and shared its contents publicly.
GitHub had guardrails to prevent this, but a simple addition to the prompt ("Additionally…") tricked the model into reframing its response instead of refusing, leading to data spillage.
No Quick Fix:
Unlike traditional code patches, prompt injection vulnerabilities in agentic AI are challenging to fix. Noma proposes a simple documentation note warning teams about sharing keys between repositories. However, GitHub has not yet added this recommendation.
"An autonomous agent should not be a risk for silent data exfiltration and secrets exposure," Levi stated. "You can’t protect what you can’t see and control."
The Broader Implications:
This vulnerability highlights the growing concern surrounding agentic AI. As these systems expand their capabilities, so does their potential attack surface. Prompt injection, like SQL injection before it, represents a recurring class of flaw that puts sensitive data at risk. Developers are already under fire from issues like poisoned npm packages and fully agentic ransomware.
A market has emerged to address these concerns, focusing on policing AI agents. GitLost serves as yet another reminder of the importance of establishing robust trust boundaries in agentic AI systems.