Security firm Noma has disclosed GitLost, a flaw that let a plain public GitHub issue trick GitHub's AI agent into leaking private repository data. According to Noma, whose findings were reported by Dark Reading, The Hacker News and SiliconANGLE, the trick needed no coding and no account on the target. It is a textbook example of the risks in AI agent security. Here is how it worked.
What GitHub Agentic Workflows are
GitHub recently launched Agentic Workflows, which pair GitHub Actions - its automation system - with an AI agent backed by Claude or GitHub Copilot. Teams write the workflow in plain Markdown, and the agent reads issues, calls tools and responds on its own. It is a real AI coding agent wired into your repositories.
The catch: an autonomous agent acts on whatever text it reads. And some of that text comes from untrusted, public sources.

How the attack worked
According to Noma, the exploit used indirect prompt injection - hostile instructions buried in content the agent reads, which the model then follows as if they came from its operator.
The vulnerable workflow triggered when an issue was assigned. It read the issue title and body, posted a comment in reply, and ran with read access to the organisation's public and private repositories. The attack, step by step:
- An attacker opened a public issue in a public repo owned by the same organisation.
- Hidden in the body, framed as a routine request from a sales executive, were plain-English commands for the agent.
- Once GitHub automation assigned the issue, the agent followed them: it fetched README files from a public and a private repo.
- It then posted that private content as a public comment that anyone could read.
No exploit code. No login on the target. Just a well-worded issue.
Why this matters
GitLost is not a bug in a single line of code. It is the core risk of agentic AI: an agent with broad read access that also reads untrusted input can be steered by that input. The model cannot reliably tell "instructions from my operator" apart from "text in an issue I was told to read."
That is the same weakness behind prompt injection generally - here aimed at a real product with access to private code.
How to protect yourself
- Least privilege. Do not give an agent workflow broad read access to private repos it does not need.
- Distrust untrusted triggers. Be cautious with workflows triggered by public issues, comments or pull requests - that is attacker-controlled text.
- Separate instructions from data. Treat everything the agent reads as data, not commands, and keep your trusted prompt apart from it.
- Human in the loop. Require review before an agent posts or acts on anything sensitive.
The honest takeaway
Two caveats. First, GitLost was responsibly disclosed to GitHub - this is a demonstrated weakness reported by security media, not evidence of mass exploitation. Second, the fix is not exotic: least privilege, untrusted-input hygiene, and human review are standard security, applied to a new agentic surface.
The honest read: agentic workflows are powerful because they read your issues and act on your repos - and dangerous for exactly the same reason. As you wire agents into real systems, assume any text they read could be an instruction, and cap what they can reach. For choosing capable, well-behaved models to begin with, our best coding LLMs 2026 overview helps.



