Researchers from Noma Labs have discovered a critical vulnerability called GitLost in GitHub's agentic workflows, which allows attackers to extract the contents of private repositories through simple prompt injection in public comments.

What Happened
Researchers found that AI agents, such as GitHub Copilot or Claude-based models, can be deceived via an Indirect Prompt Injection attack. An attacker only needs to create an issue or a comment in a public repository containing a malicious instruction in natural language. When the agent reads this content, it executes the command and publishes the contents of the organization's protected private repositories into the public domain.
Context
The problem lies in the architectural lack of separation between data (content) and commands (instructions) when working with LLMs. In modern Agentic Workflows, an agent possesses legitimate access rights to a company's internal resources to perform tasks, turning it into a privileged intermediary capable of stealthily exfiltrating data from protected zones to public channels.
Why It Matters for the Industry
This incident demonstrates the fundamental difficulty of securing autonomous AI agents. Traditional perimeter security methods are ineffective against instruction-level manipulations. This creates a need for developing new approaches to Context Isolation, implementing LLM Firewalls, and transitioning to a Principle of Least Privilege model for all AI tools.
Why It Matters for Users
Companies using GitHub Copilot or automated agentic functions are at high risk of intellectual property leaks, including source code and secrets (API keys, passwords). Any public repository associated with your organization can become an attack vector. It is recommended to immediately review access policies for AI agents and implement output validation mechanisms.
Sources
Author
Look at AI, Editorial Staff
