Skip to content
AI Security Wire

Published

- 5 min read

By

GitLost: Prompt Injection in GitHub Agentic Workflows Leaks Private Repos

img of GitLost: Prompt Injection in GitHub Agentic Workflows Leaks Private Repos

A public GitHub issue containing no malware, no stolen credentials, and no privileged access can trick GitHub Agentic Workflows into pulling your organisation’s private repository contents into a public comment. That is the finding Noma Security published on 6 July 2026 under the name GitLost, and it illustrates a problem that is getting harder to ignore as agentic AI tools take on more sensitive access across developer infrastructure.

The attack is prompt injection, the same category of vulnerability that has appeared in AI system after AI system over the past two years. The specific wrinkle with GitLost is where the injection point is, and what the agent is authorised to do once it’s been misdirected.

What GitHub Agentic Workflows Does

GitHub Agentic Workflows is a feature GitHub put into public preview in February 2026. The idea is straightforward: you give a GitHub-hosted AI agent authorisation to read repositories, respond to issues, assist with code review, and generally act as an automated participant in a repository’s workflow. For organisations that have given the agent broad access across multiple repos — including private ones — it becomes a convenient assistant for cross-project work.

That same breadth of access is the attack surface GitLost exploits.

The Attack

The attacker’s starting position requires nothing beyond an internet connection and the ability to open a public issue. If a target organisation has configured GitHub Agentic Workflows with read access across its repositories, the agent will process issues in public repos it’s connected to. The attacker crafts an issue with injected instructions: something that directs the agent to pull content from a private repository and include it in a reply.

Noma’s researchers encountered a hitch during testing. Straightforward injection attempts triggered the model’s safety checks and got refused. The breakthrough came from a single word: “Additionally.”

Adding “Additionally” to the crafted prompt changed how the model processed the request. Instead of evaluating it as a new, potentially unsafe instruction, the model treated it as a continuation of a legitimate task already in progress — a cooperative context cue rather than an adversarial command. The safety filter stepped aside. The private repository content appeared in a public comment.

Noma named the technique GitLost. The root cause, as they describe it, is a failure to maintain a strict trust boundary between system-level directives and untrusted user data. The agent couldn’t distinguish between “content I’m processing” and “instructions I should follow.” That distinction is the entire security model of human-in-the-loop oversight, and it collapsed under a one-word prompt manipulation.

Why This Pattern Keeps Appearing

The GitHub case is notable partly because it’s GitHub — a platform that essentially runs on developer trust — but the underlying vulnerability pattern is not new. Prompt injection has now affected customer support agents, email assistants, code interpreters, browser agents, and document-processing pipelines. Every time an agent is given access to untrusted input and is authorised to take action based on what it reads, the injection surface exists.

What makes agentic deployments distinctly dangerous is the combination of broad access and autonomy. A traditional integration that reads private repository data requires explicit authentication and sends a clear API call that can be logged and audited. An agent with the same access can be misdirected into performing the same exfiltration through natural-language manipulation that shows up in an issue thread rather than a server log.

The “Additionally” bypass is particularly worth noting because it’s not a technical exploit of a specific bug. It’s manipulation of the model’s interpretation of context. Patches that address the specific phrasing will not prevent semantically equivalent attacks; the fix has to address the architectural trust boundary, not the surface symptom.

The Disclosure

Noma reported GitLost to GitHub as part of their disclosure. GitHub acknowledged the report. As of the time of publication, GitHub has not issued a patch. The feature remains in public preview.

GitHub’s response noted that the feature is in preview and that users should configure agent permissions appropriately. That framing puts the burden on administrators to scope down access — which is reasonable as a mitigation, but doesn’t address the root-cause trust-boundary failure.

What to Do

The practical mitigations for organisations running GitHub Agentic Workflows:

Scope permissions down. If the agent only needs access to two repositories, don’t give it access to twenty. The blast radius of a successful injection scales directly with the agent’s permissions.

Treat issues and PR descriptions as untrusted input. Any content authored by external contributors should be treated as potentially adversarial. Agents that process this content are operating on untrusted data, regardless of what their system prompt says.

Audit agent output channels. Public comments from an agent are the exfiltration vector in GitLost. If your agent is producing outputs in public or semi-public spaces, ensure it has no way to include content from scoped private resources in those outputs.

Monitor for anomalous activity. Agent activity logs should flag cross-repository reads that occur during issue processing. The pattern — issue arrives, agent reads a private repo, agent comments publicly — should be detectable in most workflow logs.

The tool is in preview. The access is real. The combination is a live attack surface until GitHub addresses the underlying trust model.

References

Frequently Asked Questions

What is GitLost and which systems does it affect?
GitLost is a prompt injection technique discovered by Noma Security that targets GitHub Agentic Workflows, a feature GitHub launched in public preview in February 2026. An attacker who opens a crafted issue on any public repository can steer the agent into leaking contents from the organisation's private repositories into a public comment — without any stolen credentials or privileged access.
How does adding the word 'Additionally' enable the attack?
Noma's researchers found that appending the word 'Additionally' to a crafted prompt caused the model to reframe how it was processing the request. Instead of refusing the instruction as out-of-scope, the model treated the continuation as a legitimate extension of the task, stepping past the safety check. The word itself is not a magic bypass; it exploits the model's tendency to treat continuation cues as cooperative context rather than adversarial injection.
What should organisations using GitHub Agentic Workflows do now?
The core controls are the same ones that apply to any agentic deployment with cross-repository access: scope permissions to the minimum the agent needs (never grant read access to all repos if only one or two are needed), treat content from untrusted sources — issues, pull request descriptions, comments — as potentially adversarial input, and review what the agent is authorised to post as outputs. Until GitHub patches the root trust-boundary issue, limiting agent scope is the most effective mitigation available.