Prompt injection in GitHub's agent exposed private repo content
Noma Labs disclosed "GitLost" on 9 July: a prompt-injection flaw in GitHub's Agentic Workflows letting an unauthenticated attacker extract private repository content. A crafted issue posted in a public repository tricked the workflow agent — backed by Claude or GitHub Copilot — into publicly posting README content from private repositories in the same organisation, bypassing the workflow's existing guardrails.
The detail: Noma Labs' own analysis puts the failure at the design level: the trust boundary was enforced by model behaviour rather than code. No in-the-wild exploitation is reported, and the disclosure comes from a security vendor with a commercial interest in agent-security findings — one vulnerability in one product does not show agentic CI is broadly unsafe. It does show that a public issue tracker was enough surface to reach private data; if GitHub closes the injection path before any exploitation is observed, this stays a well-handled disclosure rather than an incident.
Related: GitLost lands on a documented arc. OpenAI and the UK's NCSC confirmed in May that prompt injection remains the top unfixed AI security risk, the same month Google confirmed the first AI-driven zero-day exploit, discovered and weaponised by criminal hackers using an AI model. Containment tooling has been building in parallel: NewCore raised £52 million in June for an agent-identity platform, Cloudflare's Temporary Accounts let agents deploy without human authentication (June), and this week Clawkwork's open-source clawk gives agents root inside disposable, network-restricted VMs, isolated from the host. Detection fared less well: Meta's AI detector missed 55% of its own AI images after cropping, per Reuters testing.