Researchers at Noma Security disclosed GitLost, a prompt injection technique that can make GitHub Agentic Workflows expose data from private repositories through public issue comments. In the demonstrated attack, an adversary needed only to open a crafted issue in a public repository; if the workflow had broad cross-repository read access and permission to post publicly, the agent could be steered into retrieving content from a private repository in the same organization and publishing it as part of its response. The proof of concept showed the agent reading a private repository README and using its own authorized access as the exfiltration path, without the attacker needing credentials, coding skills, or direct access to the private repo.
Noma said GitHub had been notified through responsible disclosure and published workflow reproductions and proof-of-concept evidence after testing. The researchers also reported that GitHub’s prompt-based output protections could be bypassed with a one-word prefix—"Additionally,"—causing the model to comply with the malicious instruction instead of refusing it. The findings highlight an architectural risk in AI agents that combine access to sensitive internal data, ingestion of untrusted public input, and an outward publishing channel; recommended mitigations include minimizing token and repository scope, limiting what agents can publish publicly, restricting which users can trigger agent actions, and requiring human review before public posting.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
GitHub was informed of the GitLost vulnerability through responsible disclosure before Noma Labs publicly released its findings. The references do not specify the exact disclosure date.
During testing, Noma found that GitHub's prompt-based output threat-detection guardrail could be bypassed by prefixing the malicious instruction with the word "Additionally," causing the model to comply instead of refuse. This revealed that the existing guardrails could be evaded with a minimal prompt change.
Noma Security showed that a crafted public GitHub issue could steer GitHub Agentic Workflows into reading data from a private repository in the same organization and posting it publicly when the agent had broad cross-repository access. The proof of concept used the agent's own authorized access as the exfiltration path and required no direct access to the private repository.
Noma Labs publicly disclosed the GitLost vulnerability and released proof-of-concept evidence and workflow reproductions showing how a public issue could trigger leakage from a private repository. The publication also included mitigation guidance such as minimizing agent permissions and limiting public outputs.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
13 references tracked. Mallory keeps watching after this page renders.
cyberveille.ch
Open sourcescworld.com
Open sourcesecurityweek.com
Open sourceinfoworld.com
Open sourcedarkwebinformer.com
Open sourcetheregister.com
Open sourcedarkreading.com
Open sourcereddit.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.