Skip to content
AI SecurityAgentic AIPrompt InjectionSupply Chain

GitLost: what GitHub's AI agent leak reveals about agentic workflow security

4 min read
Share

A public GitHub issue is the most open piece of content in software development: anyone can write one, anyone can read it. Noma Security showed that on a system running GitHub's Agentic Workflows, a public issue is also an instruction set for the AI agent, and the agent follows those instructions with the access level the workflow was granted.

That is GitLost, disclosed July 7, 2026, and patched by GitHub before publication.

The attack, step by step

GitHub's Agentic Workflows feature lets organizations automate repository management using AI agents that have read access to repositories in the organization. A workflow is configured to trigger on specific events, run with a defined set of permissions, and take actions based on what the agent reads.

In the GitLost scenario, the workflow was configured to trigger when an issue was assigned to it. When that happened, the agent read the issue title and body and then posted a comment in response.

Noma researchers opened a public issue in a public repository belonging to the target organization. The issue body looked plausible. Hidden in the body were plain-English instructions for the agent: fetch the contents of specific files from other repositories in the organization, including private ones, and post them in a comment.

The agent, running with read access across the organization's repositories, read the issue, followed the embedded instructions, fetched the private repository content, and posted it as a public comment visible to anyone on the internet.

The attacker required no account on the target organization. The attack required no coding skill. It required knowing the organization ran a vulnerable workflow and writing a convincing-looking issue.

Why this works: indirect prompt injection

Indirect prompt injection is when an attacker embeds instructions in content an AI agent reads, rather than injecting them directly into the agent's input. The agent treats the content as data but processes the embedded instructions as commands.

This is not a flaw specific to GitHub. It is a property of how language models work: they do not have a reliable mechanism for distinguishing data they are analyzing from instructions they should follow when both arrive as natural language text. Any content an agent reads is a potential instruction source.

GitLost is a clean demonstration at scale because GitHub issues are public, abundant, and expected to contain natural language. The attack surface is enormous.

What this means for your agentic deployments

The patch closes the specific GitLost attack vector, but it does not change the underlying dynamic. Any agentic workflow that reads external content, including PR descriptions, commit messages, issue comments, linked documents, email content, web pages, or database records, has an indirect prompt injection attack surface.

The practical mitigations are:

  • Minimize workflow permissions. An agent that reads issues does not need read access to private repositories unless the task explicitly requires it.
  • Treat all agent-readable content as untrusted input. Do not allow it to trigger privileged actions without explicit confirmation boundaries.
  • Audit existing workflows for permission scope. If any workflow reads external content and has broad organizational access, that is a risk item.
  • Log and monitor agent actions. If an agent starts reading files it has not been asked to read or posting content to unexpected locations, that is an anomaly worth alerting on.

The pattern that matters

GitLost is not an isolated research curiosity. The same attack pattern appears in the Dialogflow CX Rogue Agent vulnerability (Varonis, July 7), in the JADEPUFFER agentic ransomware (Sysdig, July 2026), and in research across multiple major AI platforms over the past year. The throughline is the same: AI agents that read external content can be instructed by that content, and the consequences scale with the access the agent has been granted.

Deployment decisions for agentic workflows should start with that question: what is the worst thing that happens if the content this agent reads contains malicious instructions? If the answer is significant, the access scope needs to shrink before the deployment ships.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are building agentic workflows and want a security review of your permission model.