Illustration of a downcast, crying cartoon cat-octopus character beside bold black text reading "GitLost"

GitHub AI Agent Bug Let Attackers Leak Private Code

One word – “Additionally” – was enough to defeat GitHub’s guardrails and expose private repository contents to the open web.

An unauthenticated attacker who posts nothing more than a single comment to a public GitHub support ticket could trick an AI agent into leaking an organization’s private code, according to research security firm Noma Security published Monday.

The flaw, which Noma’s researchers nicknamed “GitLost,” lives in GitHub Agentic Workflows, a feature that pairs GitHub Actions (GitHub’s automation system) with an AI agent backed by Claude or GitHub Copilot. Teams write instructions in plain English instead of code, and the agent reads requests, takes action and replies on its own.

Noma’s team found that a workflow configured to respond to newly assigned issues could be tricked into fetching README files from both public and private repositories in the same organization, then posting that content as a public comment anyone could read. No login, credentials or coding skill were required — just an issue posted in a public repo belonging to an organization using the feature.

“The agent’s context window is also its attack surface,” wrote Sasi Levi, security research lead with Noma Security.

A hypothetical attack might include a company’s public “bug-reports” repo – set up to auto-triage new issues. An outsider posts an issue with hidden instructions. The agent reads it, follows the instructions, and reposts private source code as a public comment on that same issue ahead of the company noticing.

GitHub had guardrails meant to stop the agent from leaking that kind of data. Noma’s researchers found they could defeat those guardrails by adding a single word, “Additionally,” to their crafted instructions. That proved to be enough to make the model reframe its response instead of refusing it.

The technique is known as prompt injection where code hides instructions inside content an AI agent reads. The agent follows the attacker’s commands instead of its operator’s. Security researchers increasingly describe prompt injection as the “SQL injection” of the AI-agent era — a systemic, category-wide flaw rather than a one-off bug.

“Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications,” Levi wrote.

OWASP’s Top 10 for LLM applications already ranks prompt injection as the single biggest risk facing agentic systems. Noma’s own catalog of prior findings – GrafanaGhost, DockerDash, ContextCrush – shows the pattern repeating across tools.

Noma published a proof-of-concept workflow run and a sample GitHub issue documenting the exploit. The company said it disclosed GitLost to GitHub before publishing its findings Monday.

Scoped permissions and hard trust boundaries between instructions and untrusted data remain the only real fix, Levi said. Guardrail patches that chase specific trigger words, like “Additionally” will keep losing this game, he added.

A benchmark called WASP, published by Meta’s FAIR research group, found that simple, low-effort written attacks against web-browsing AI agents succeeded at least partially in up to 86% of test cases, even against advanced reasoning models — underscoring how far current defenses lag behind real-world agent deployments.

By failing to maintain a strict trust boundary between system-level directives and untrusted user data, developers inadvertently turn their agents into willing accomplices. The core takeaway: treat user input as hostile by default, mandating rigorous sanitization before it ever touches the model’s instruction context, Levi said.

SPB has covered a similar failure mode before: a Google Vertex AI flaw dubbed “Double Agents” that let low-privilege users weaponize an AI agent to exfiltrate cloud data, and Coro’s move to wire live security telemetry into AI assistants via the Model Context Protocol.

Author

  • Tom Spring

    Tom Spring is a cybersecurity journalist covering identity, AI, cloud security and enterprise risk. He is the founder of Security Point Break and former Senior Editorial Director at CyberRisk Alliance, where he led coverage for SC Media, MSSP Alert and ChannelE2E.

    An award-winning reporter, his work has been recognized by the Society of Professional Journalists, ASBPE and the Jesse H. Neal Awards. He focuses on cutting through cybersecurity hype to deliver clear, grounded reporting for security and business leaders.

Total
0
Shares

Leave a Reply

Previous Article
Illustration of a security analyst slumped over a desk buried in a flood of alert notifications, with only two flagged in red as real threats among dozens of false positives

AI SOC Tools Misflag Up to 86% of Safe Traffic, Study Finds

Related Posts

Discover more from Security Point Break

Subscribe now to keep reading and get access to the full archive.

Continue reading