A newly discovered vulnerability in GitHub's Agentic Workflows allows attackers to trick the AI agent into exposing private repository contents through a simple public issue. Researchers at Noma Labs demonstrated the attack, dubbed GitLost, by crafting a seemingly normal feature request that contained hidden instructions. When the agent processed the issue, it obediently fetched and posted the contents of private repositories as a public comment — no credentials or exploit code required.
How the GitLost attack works
The attack exploits the agent's inability to distinguish between legitimate instructions from its operator and malicious instructions embedded in user-controlled content. Noma's researchers created a GitHub Issue that appeared to be a routine request from a VP of Sales, but the body contained hidden commands telling the agent to read README.md files from other repositories in the organization and post them as a comment. The agent, configured to trigger on issue assignments and run with read access to multiple repos, executed the instructions exactly — including leaking the contents of a private repository called testlocal.
The proof-of-concept is publicly visible on GitHub, showing the workflow run and the resulting comment. The attack does not require any special access or exploit code; it relies solely on the agent's trust in the content it reads.
Guardrail bypass with a single keyword
GitHub had implemented guardrails to prevent such injections, but Noma found they could be bypassed by adding the word "Additionally" to the injected instructions. This single keyword caused the model to reframe its output rather than refuse, completely undermining the intended safety behavior. The ease of bypassing guardrails highlights a fundamental challenge: defenders must anticipate every possible attack pattern, while attackers only need to find one that works.
Noma Labs draws a direct parallel between prompt injection in agentic AI and SQL injection in web applications. Both are systematic, category-wide vulnerability classes that require architectural defenses rather than case-by-case hardening. The GitLost attack is not an isolated incident; it follows the same pattern as previous Noma discoveries like GeminiJack and DockerDash, demonstrating that the more access an agent has, the more valuable a successful injection becomes.
Recommendations for mitigation
To protect against such attacks, organizations should scope agent permissions tightly, especially avoiding cross-repository read access unless absolutely necessary. Agents should never be allowed to post user-controlled content publicly, as the issue body that triggered the leak ended up reproduced in a public comment. User input should be sanitized or isolated before it enters the agent's instruction context — treated as untrusted by default, much like user input in a SQL query. Finally, administrators should audit their Agentic Workflow configurations immediately, checking what permissions workflows run with and what events can trigger them.
GitHub has been notified and the vulnerability was responsibly disclosed, but Noma warns that the underlying pattern remains unfixed. The specific instance was reported, but the structural trust boundary failure persists in agentic systems where security relies partly on model behavior rather than purely on code enforcement.