What happened
Noma Labs discovered "GitLost," a critical prompt injection vulnerability within GitHub's new Agentic Workflows, enabling unauthenticated attackers to extract private repository data. By posting a crafted GitHub Issue in a public repository, the AI agent, backed by Claude or GitHub Copilot, was tricked into publicly commenting with README.md content from private repositories in the same organisation, bypassing existing guardrails.
Why it matters
Unauthenticated data exfiltration from private repositories exposes organisations to significant intellectual property theft. This vulnerability, a textbook indirect prompt injection, demonstrates that an agent's context window is its attack surface, where trust boundaries are enforced by model behaviour rather than code. Security architects must prioritise strict permission scoping for AI agents, especially those with cross-repository access, to prevent similar systemic vulnerabilities, echoing concerns from Google's confirmed AI zero-day exploit in May.




