Noma Security’s research team, Noma Labs, has disclosed a critical prompt injection vulnerability in GitHub’s new Agentic Workflows. The vulnerability, named GitLost, allowed researchers to trick GitHub’s AI agent into retrieving data from a private repository and posting it publicly by submitting a crafted issue in a public repository belonging to the same organization.
GitHub recently launched Agentic Workflows, a system that pairs GitHub Actions with an AI agent running on Claude or GitHub Copilot. It lets teams define workflows in Markdown, which GitHub converts into GitHub Actions workflows. The agent reads issues, calls tools, and responds on its own as part of normal operation.
WHY DOES IT HAVE ACCESS TO PRIVATE REPOSTORIES!!!???
Kissaki@programming.dev 31 minutes ago
The word “additionally” evading guardrails is comical.
You need structural separation. Separate agents for public vs private. Prompt or context washing is not enough.