GitHub AI Agent Tricked Into Leaking Private Repos via Public Issue
Noma Labs shows how a hidden prompt in a public GitHub Issue tricked an AI agent into leaking private repo contents publicly.
Researchers at Noma Labs discovered a serious prompt injection flaw in GitHub's new Agentic Workflows feature, which pairs GitHub Actions with an AI agent powered by Claude or Copilot. A crafted GitHub Issue containing hidden instructions manipulated an agent that had cross-repository read access into fetching a private repo's README.md and posting it as a public comment — no credentials or exploit code required.
More troubling: GitHub's existing safeguards were bypassed simply by adding the word 'Additionally' to the injected instructions, causing the model to reframe its output instead of refusing. This shows that guardrails tuned against known attack patterns can be defeated cheaply by anyone willing to iterate on phrasing.
Noma frames this as prompt injection's equivalent of SQL injection for agentic AI — a structural trust-boundary failure, since the agent cannot reliably distinguish operator instructions from instructions hidden in user-controlled content. For engineers, the takeaways are concrete: scope agent permissions tightly, never let agents publish user-controlled content publicly, and treat all input entering an agent's context as untrusted by default.