Researchers Trick Misconfigured GitHub AI Agent Into Leaking a Private Repo

Noma Labs found that a crafted GitHub issue could hijack a misconfigured Agentic Workflow, causing it to read a private repository and publish its contents.

Published on Jul 7, 2026
Researchers Trick Misconfigured GitHub AI Agent Into Leaking a Private Repo

A single GitHub issue was enough to turn a helpful AI agent against the organization running it.

In research shared with Expert Insights ahead of its publication today, Noma Labs detailed a prompt-injection flaw it named GitLost in GitHub’s Agentic Workflows, the feature that lets an AI agent read issues, call tools, and act on a repository from plain-Markdown instructions.

The attack is a textbook case of indirect prompt injection: instructions hidden inside content an AI agent reads, so it follows the attacker instead of its operator.

To test this, Noma’s researchers posted an ordinary-looking issue in a public repository, dressed up as a routine request from a colleague, with commands buried inside. 

When the workflow picked it up, the agent fetched the contents of a private repository in the same organization and posted them as a public comment, readable by anyone.

The attacker needed no credentials, no code, and no access, only the ability to open an issue and wait.

Two conditions made it work, Noma said. The targeted workflow had broad permissions, including read access to other repositories and the ability to post comments publicly.

GitHub Copilot’s built-in guardrails refused the injected instruction when it was issued in isolation, but Noma found that prefacing the same instruction with the word “Additionally” caused the model to reframe it as a continuation of an existing task rather than a new, suspicious one, and complete it without refusal.

To demonstrate the attack, Noma used its own repositories, rather than a real organization. A GitHub issue crafted to resemble a routine internal request (a follow-up from a VP of Sales after a customer meeting) was assigned to a workflow configured to trigger on issues.assigned events. Copilot processed it as normal input; the injected instruction directed it to read the contents of the private testlocal repository and post them as a public comment, which it did. The README appeared publicly on the issue thread. Noma has published the live workflow run and crafted issue as part of its disclosure.

“Everyday development artifacts like public GitHub issues, pull requests, and repository comments are no longer just passive text,” Jason Soroko, Senior Fellow at Sectigo told Expert Insights. “They are now active attack surfaces.”

The Context Window Is the Attack Surface

GitHub designed Agentic Workflows with prompt injection in mind. Its published security guidance emphasizes least-privilege permissions, limiting the AI agent’s direct access to secrets, and routing privileged write operations through separate “safe output” jobs to reduce the impact of prompt injection.

GitLost is less a story of absent defenses than of an over-permissioned workflow combined with a guardrail that could be talked around. Noma said it disclosed the flaw to GitHub before publishing.

The findings reflect a wider problem, the same trust failure that appears when malware rides in through repositories an AI coding tool opens automatically

Researchers increasingly compare prompt injection to what SQL injection once was for web applications: a systemic, category-wide weakness.

Ram Varadarajan, CEO at Acalvio, told Expert Insights that organizations need “model-aware defenses that act in real-time,” describing the shift as “the new era of bot-on-bot cyber-defense.”

As agents move deeper into developer workflows, the content they read has to be treated as untrusted by default.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.