Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/CyberSecurity News/GitHub Copilot Chat Critical Vulnerability Exposes Private Repository Data
CyberSecurity News

GitHub Copilot Chat Critical Vulnerability Exposes Private Repository Data

Key Takeaways A critical vulnerability, dubbed “GitLost,” allowed attackers to extract private repository data from GitHub’s AI-powered Agentic Workflows. The flaw exploited an...

Sarah simpson
Sarah simpson
July 7, 2026 4 Min Read
3 0

Key Takeaways

  • A critical vulnerability, dubbed “GitLost,” allowed attackers to extract private repository data from GitHub’s AI-powered Agentic Workflows.
  • The flaw exploited an indirect prompt injection vulnerability within GitHub’s AI agents, specifically those configured to respond to issues.assigned events.
  • Attackers could leverage a single GitHub Issue to trick the AI agent into publicly exposing contents from private repositories without requiring credentials or coding expertise.
  • The vulnerability highlights systemic security challenges in agentic AI systems where user-controlled content can be misinterpreted as trusted instructions.
  • A fix is available, and GitHub was notified through responsible disclosure.

Critical “GitLost” Vulnerability Exposes Private GitHub Repository Data

A significant security flaw, branded “GitLost,” has revealed how malicious actors could exploit GitHub’s emerging AI-driven Agentic Workflows to exfiltrate sensitive data from private repositories. This vulnerability allowed attackers to trigger the leakage of private code and information to the public internet using only a single GitHub Issue, circumventing the need for credentials, advanced coding skills, or direct system access.

Table Of Content

  • Key Takeaways
  • Critical “GitLost” Vulnerability Exposes Private GitHub Repository Data
  • Understanding GitHub Agentic Workflows
  • The Indirect Prompt Injection Mechanism
  • Exploitation and Data Leakage
  • Systemic Implications for AI Security
  • What You Should Do

Understanding GitHub Agentic Workflows

GitHub Agentic Workflows represent a new paradigm in automation, integrating GitHub Actions with an AI agent powered by models like Claude or GitHub Copilot. This setup enables development teams to define complex automation tasks using natural language in Markdown, which the AI then translates into executable YAML Action files. These agents are designed to autonomously interact with repositories, reading issues, invoking tools, posting comments, and accessing other organizational repositories based on predefined permissions, all without constant human oversight.

The Indirect Prompt Injection Mechanism

The core of the “GitLost” vulnerability lies in a classic indirect prompt-injection flaw. Researchers at Noma Labs identified a vulnerable workflow configured to activate upon issues.assigned events. This particular workflow would read the issue’s title and body, use an add-comment tool to respond, and operate with read access across both public and private repositories within the organization.

The critical oversight was the AI agent’s inability to differentiate between legitimate system instructions and malicious, user-supplied content embedded within an issue. This allowed an attacker to inject plain-English commands directly into an issue body, compelling the agent to execute them as trusted directives.

Exploitation and Data Leakage

Noma Labs demonstrated the exploit by crafting an seemingly benign GitHub Issue. This issue was designed to mimic a request from a “VP of Sales” following a customer interaction. Once the issue was assigned, activating the vulnerable workflow, the AI agent proceeded to fetch the contents of README.md files from both a public repository (poc) and, crucially, a private repository (testlocal). The agent then combined this information and publicly posted it as a comment on the issue, making the private repository data accessible to anyone.

The researchers also discovered a subtle but effective bypass for GitHub’s existing security guardrails. By simply adding the word “Additionally” to their injected prompts, they could reframe the model’s output, preventing it from triggering a refusal mechanism. This linguistic trick proved sufficient to defeat safeguards intended to prevent such information leaks.

More technical details, including a Noma Labs details, a specific workflow run, and the triggering issue, confirm that leaked data included README contents from sasinomalabs/poc (public), sasinomalabs/remote-ping (public), and significantly, sasinomalabs/testlocal (private).

Systemic Implications for AI Security

The “GitLost” vulnerability underscores a fundamental architectural weakness inherent in many agentic AI systems: the model’s context window inadvertently serves as an expanded attack surface. Any content ingested by an AI agent—be it issues, pull requests, comments, or file contents—can potentially be weaponized if the agent interprets it as an instruction rather than mere data.

Traditional software security models rely on code-enforced trust boundaries. In contrast, agentic systems depend heavily on the behavioral integrity of the AI model. Instruction-following models, by their very design, are susceptible to this type of exploitation. Security experts are increasingly drawing parallels between prompt injection in AI security and SQL injection in web application security, recognizing it as a systemic, category-wide vulnerability demanding equally robust and systemic defenses.

Noma Labs responsibly disclosed the GitLost vulnerability to GitHub, allowing for remediation.

What You Should Do

  • Isolate User Input: Implement robust mechanisms to strictly separate untrusted user-controlled content from the trusted instruction context before it reaches the AI model.
  • Principle of Least Privilege: Configure AI agent permissions with the absolute minimum necessary access, particularly for cross-repository operations, to limit potential damage.
  • Restrict Public Responses: Control and restrict what AI agents are permitted to post publicly in response to issue content, preventing inadvertent data exposure.
  • Implement Input Sanitization: Sanitize all user input rigorously to neutralize potentially malicious commands or data before it is processed by the AI agent.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection

Next Post

Critical RCE Vulnerabilities in Microsoft Exchange Servers Expose 2,259 Orgs

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us