Researchers uncovered GitLost, a prompt injection attack that can trick GitHub AI workflows into leaking data from private repositories.
A public GitHub issue may not seem like much of a security threat. But researchers have shown that, under the right conditions, it can be enough to persuade an AI-powered workflow to reveal information from private repositories it was never meant to expose.
The technique, which researchers at Noma Security call GitLost, targets GitHub Agentic Workflows GitHub’s AI-powered automation feature that is currently in public preview. Rather than exploiting a software bug, the attack manipulates the AI itself, convincing it to misuse the permissions it has already been given.
The idea is surprisingly straightforward. If an organization allows an AI workflow to read public GitHub issues while also granting it access to private repositories, an attacker can hide carefully crafted instructions inside a public issue. When the AI processes that issue, it may treat those hidden instructions as part of its task instead of ignoring them.
In a demonstration, the researchers showed how an AI agent could be coaxed into searching private repositories for sensitive information before posting the results back to a public GitHub comment. The attacker never needs access to the private repositories or the organization’s credentials the AI does the work using its own authorized permissions.
GitHub has built in protections designed to detect prompt injection attacks, but the researchers found those safeguards were not foolproof. During testing, they discovered that a small change to the wording of the malicious prompt was enough to bypass one of the platform’s defenses, allowing the attack to proceed.
The researchers emphasize that this isn’t a problem for every GitHub user. Agentic Workflows use read-only permissions by default, which limits what an AI agent can access. The risk increases when organizations expand those permissions, such as giving the workflow a personal access token that can read private repositories across an organization while still allowing it to interact with public content.
Noma Security says the safest approach is to give AI agents access only to the repositories they genuinely need, keep public and private workflows separate wherever possible, and require human review before AI-generated responses based on public input are published.
The findings are another reminder that securing AI tools isn’t just about fixing software flaws. As more development teams rely on AI to automate everyday tasks, attackers are increasingly looking for ways to manipulate the models instead. In many cases, the AI doesn’t have to be hacked it simply has to be convinced to use its legitimate access in ways its operators never intended.
Related articles :
__Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.__