Researchers at Noma Security have disclosed a critical prompt injection vulnerability in GitHub Agentic Workflows that could allow an unauthenticated attacker to extract data from an organization’s private repositories without any access credentials.

How GitLost Works

GitHub Agentic Workflows lets users define automation logic in natural language using markdown files, which an AI agent then interprets and executes as GitHub Actions. Noma found that a workflow configured to trigger on issues.assigned events would read the title and body of a submitted issue and post a comment in response. Critically, the workflow ran with read access spanning both public and private repositories belonging to the same organization.

Because GitHub Issues on public repositories can be created by anyone, an attacker only needs to open a plausible-looking issue containing hidden instructions. In their proof-of-concept, Noma crafted an issue that mimicked a request from sales leadership, instructing the agent to fetch the contents of Readme.md files from private repositories and post them as a public comment.

Bypassing GitHub’s Guardrails

GitHub does have protections intended to block this class of attack, but Noma found they could be bypassed through minor variations in phrasing. The researchers ultimately triggered the unintended behavior by adding the keyword “additionally” to the injected instruction, demonstrating that the guardrails are not robust against creative rephrasing.

Broader Implications for Agentic AI

Noma draws a direct analogy between indirect prompt injection and SQL injection in web applications, arguing that the agent’s context window is also its attack surface. Any content an agent reads, including issues, pull requests, comments, or files, can be weaponized if the agent treats that content as trusted instructional input.

“GitLost perfectly illustrates one of the fundamental security challenges every organization faces with agentic AI systems,” Noma noted in its disclosure.

Recommendations

After responsible disclosure to GitHub, Noma recommends organizations take the following steps:

  • Treat all user-controlled content as untrusted input
  • Restrict agent permissions to the minimum required scope
  • Limit what agents are permitted to post publicly
  • Sanitize user input before it is passed to AI agents

The vulnerability highlights a systemic risk in agentic AI deployments where the same agent context that enables broad automation also creates a broad attack surface accessible to anyone who can write a GitHub Issue.