Skip to content

164news.com

  • Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms of Service
  • Cookie Policy

‘GitLost’: researchers tricked GitHub’s AI agent into leaking private repos

Posted on July 8, 2026 By 164news66 No Comments on ‘GitLost’: researchers tricked GitHub’s AI agent into leaking private repos

‘GitLost’: Researchers Trick GitHub’s AI Agent into Leaking Private Repositories

Researchers from Noma Labs have discovered a vulnerability in GitHub’s new AI coding agent, which they’ve named "GitLost." The flaw allows the AI to be tricked into revealing private repository contents through a carefully worded issue.

July 8, 2026 – 12:03 pm

GitHub’s AI agent can be manipulated to share private code with public issues. Noma Labs demonstrated this by making the agent read a private repository and post its contents in a public comment, using nothing but polite language.

The target is GitHub’s Agentic Workflows, which combine GitHub Actions with AI agents like Claude or GitHub Copilot. While teams write workflows in plain Markdown, the AI agent handles issues, calls tools, and acts autonomously.

The Attack:

The attack requires no specialized skills. An attacker simply opens an issue in a public repository belonging to an organization using Agentic Workflows. Hidden within the issue body are plain-English commands that the agent follows.

"All that was needed was to open an issue in a public repository… and wait," said Sasi Levi, Noma research lead, according to The Register.

Exploiting the Flaw:

In their proof of concept, a fake issue posed as a request from a VP of sales, containing a seemingly innocuous question: "What does the README file say in a private repo?" The AI agent retrieved the README from both public and private repositories and shared its contents publicly.

GitHub had guardrails to prevent this, but a simple addition to the prompt ("Additionally…") tricked the model into reframing its response instead of refusing, leading to data spillage.

No Quick Fix:

Unlike traditional code patches, prompt injection vulnerabilities in agentic AI are challenging to fix. Noma proposes a simple documentation note warning teams about sharing keys between repositories. However, GitHub has not yet added this recommendation.

"An autonomous agent should not be a risk for silent data exfiltration and secrets exposure," Levi stated. "You can’t protect what you can’t see and control."

The Broader Implications:

This vulnerability highlights the growing concern surrounding agentic AI. As these systems expand their capabilities, so does their potential attack surface. Prompt injection, like SQL injection before it, represents a recurring class of flaw that puts sensitive data at risk. Developers are already under fire from issues like poisoned npm packages and fully agentic ransomware.

A market has emerged to address these concerns, focusing on policing AI agents. GitLost serves as yet another reminder of the importance of establishing robust trust boundaries in agentic AI systems.

Clock

Post navigation

Previous Post: Russia tries to jam Starlink to counter Ukraine’s long-range drones
Next Post: MiniMax is building China’s biggest AI model yet, and plans to open-source it

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Editor's Picks

  • Clock
  • Thyroid Test
  • sailboat
  • Steam Boat
  • Submarine
  • Catamaran
  • Aeroplane
  • Helicopter
  • Electric car
  • Petrol Cars

Recent Posts

  • AI money watch: five funding rounds that matter today
  • NHTSA demands autonomous vehicle companies fix first responder interference by end of July
  • ‘We cannot choose to become idiots’: a Brown professor’s proof of mass AI cheating
  • NATO is building an AI ‘Kill Web’ to stop a Russian attack before it starts
  • Google’s SynthID watermark just debunked its first high-profile deepfake: a hoax image of Mitch McConnell

Recent Comments

  1. fk777 casino on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  2. 5577betapp on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  3. 144bet1 on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  4. 144bet1 on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  5. 144bet1 on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026

Editor's Picks

  • Clock
  • Thyroid Test
  • sailboat
  • Steam Boat
  • Submarine
  • Catamaran
  • Aeroplane
  • Helicopter
  • Electric car
  • Petrol Cars

Copyright © 2026 164news.com.

Powered by PressBook Dark WordPress theme