GitHub Copilot Chat Critical Vulnerability Exposes Private Repository Data
Key Takeaways A critical vulnerability, dubbed “GitLost,” allowed attackers to extract private repository data from GitHub’s AI-powered Agentic Workflows. The flaw exploited an...
Key Takeaways
- A critical vulnerability, dubbed “GitLost,” allowed attackers to extract private repository data from GitHub’s AI-powered Agentic Workflows.
- The flaw exploited an indirect prompt injection vulnerability within GitHub’s AI agents, specifically those configured to respond to
issues.assignedevents. - Attackers could leverage a single GitHub Issue to trick the AI agent into publicly exposing contents from private repositories without requiring credentials or coding expertise.
- The vulnerability highlights systemic security challenges in agentic AI systems where user-controlled content can be misinterpreted as trusted instructions.
- A fix is available, and GitHub was notified through responsible disclosure.
Critical “GitLost” Vulnerability Exposes Private GitHub Repository Data
A significant security flaw, branded “GitLost,” has revealed how malicious actors could exploit GitHub’s emerging AI-driven Agentic Workflows to exfiltrate sensitive data from private repositories. This vulnerability allowed attackers to trigger the leakage of private code and information to the public internet using only a single GitHub Issue, circumventing the need for credentials, advanced coding skills, or direct system access.
Table Of Content
Understanding GitHub Agentic Workflows
GitHub Agentic Workflows represent a new paradigm in automation, integrating GitHub Actions with an AI agent powered by models like Claude or GitHub Copilot. This setup enables development teams to define complex automation tasks using natural language in Markdown, which the AI then translates into executable YAML Action files. These agents are designed to autonomously interact with repositories, reading issues, invoking tools, posting comments, and accessing other organizational repositories based on predefined permissions, all without constant human oversight.
The Indirect Prompt Injection Mechanism
The core of the “GitLost” vulnerability lies in a classic indirect prompt-injection flaw. Researchers at Noma Labs identified a vulnerable workflow configured to activate upon issues.assigned events. This particular workflow would read the issue’s title and body, use an add-comment tool to respond, and operate with read access across both public and private repositories within the organization.
The critical oversight was the AI agent’s inability to differentiate between legitimate system instructions and malicious, user-supplied content embedded within an issue. This allowed an attacker to inject plain-English commands directly into an issue body, compelling the agent to execute them as trusted directives.
Exploitation and Data Leakage
Noma Labs demonstrated the exploit by crafting an seemingly benign GitHub Issue. This issue was designed to mimic a request from a “VP of Sales” following a customer interaction. Once the issue was assigned, activating the vulnerable workflow, the AI agent proceeded to fetch the contents of README.md files from both a public repository (poc) and, crucially, a private repository (testlocal). The agent then combined this information and publicly posted it as a comment on the issue, making the private repository data accessible to anyone.
The researchers also discovered a subtle but effective bypass for GitHub’s existing security guardrails. By simply adding the word “Additionally” to their injected prompts, they could reframe the model’s output, preventing it from triggering a refusal mechanism. This linguistic trick proved sufficient to defeat safeguards intended to prevent such information leaks.
More technical details, including a Noma Labs details, a specific workflow run, and the triggering issue, confirm that leaked data included README contents from sasinomalabs/poc (public), sasinomalabs/remote-ping (public), and significantly, sasinomalabs/testlocal (private).
Systemic Implications for AI Security
The “GitLost” vulnerability underscores a fundamental architectural weakness inherent in many agentic AI systems: the model’s context window inadvertently serves as an expanded attack surface. Any content ingested by an AI agent—be it issues, pull requests, comments, or file contents—can potentially be weaponized if the agent interprets it as an instruction rather than mere data.
Traditional software security models rely on code-enforced trust boundaries. In contrast, agentic systems depend heavily on the behavioral integrity of the AI model. Instruction-following models, by their very design, are susceptible to this type of exploitation. Security experts are increasingly drawing parallels between prompt injection in AI security and SQL injection in web application security, recognizing it as a systemic, category-wide vulnerability demanding equally robust and systemic defenses.
Noma Labs responsibly disclosed the GitLost vulnerability to GitHub, allowing for remediation.
What You Should Do
- Isolate User Input: Implement robust mechanisms to strictly separate untrusted user-controlled content from the trusted instruction context before it reaches the AI model.
- Principle of Least Privilege: Configure AI agent permissions with the absolute minimum necessary access, particularly for cross-repository operations, to limit potential damage.
- Restrict Public Responses: Control and restrict what AI agents are permitted to post publicly in response to issue content, preventing inadvertent data exposure.
- Implement Input Sanitization: Sanitize all user input rigorously to neutralize potentially malicious commands or data before it is processed by the AI agent.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.