« All posts

GitLost: A Public GitHub Issue Can Leak Private Repos

GitLost shows how a public GitHub issue and a one-word prefix bypass threat detection, leaking private repo contents via Agentic Workflows.

Noma Security has published GitLost, an indirect prompt-injection technique targeting GitHub's Agentic Workflows feature, which entered public preview in February. The attack hinges on orgs granting these agents a personal access token with org-wide read access; an attacker simply opens an innocuous-looking public issue, the agent processes it, pulls a private repo's README, and pastes it into a public comment, which becomes the exfiltration channel.

What makes this notable is that GitHub's existing defenses (sandboxing, read-only tokens, input sanitization, and an output threat-detection scanner) were bypassed with a single word. Prefixing the malicious instruction with "Additionally" made the model treat it as a legitimate follow-on task rather than something to refuse, slipping past the scanner. This maps directly onto Simon Willison's "lethal trifecta": an agent with access to private data, exposure to untrusted external content, and a channel to exfiltrate data.

Noma frames this as a structural, recurring class rather than an isolated bug, citing similar findings against Anthropic's Claude Code GitHub Action, Orca's RoguePilot, and Invariant Labs' earlier work. Since natural language lacks a clean data/instruction boundary like parameterized SQL, the fix isn't better filtering but architectural: scoping tokens to a single repo, restricting what public-facing workflows can post, and gating agent output behind human review.