‘GitLost’ vulnerability let GitHub’s AI workflows leak private repositories
Researchers at artificial intelligence security company Noma Security Inc. today disclosed a critical prompt injection vulnerability in GitHub Inc.’s new Agentic Workflows feature that allowed an unauthenticated attacker to siphon data from private code repositories by posting a single crafted issue in a public one.
Named GitLost, the vulnerability was found by Noma Labs, the company’s research arm. It targeted GitHub Agentic Workflows, a feature the Microsoft Corp.-owned company built to automate repository tasks with artificial intelligence. The workflows live in plain Markdown and compile down to GitHub Actions, its system for running jobs when something happens in a repository.
Behind them sits an AI agent that runs on either Anthropic PBC’s Claude or GitHub Copilot. It reads incoming issues and acts on them and no human signs off first.
GitLost works through indirect prompt injection. An attacker buries hostile instructions in content the agent reads and the model follows them as though they came from its operator. Pulling it off took no coding skill and no account on the target. The attacker opened an issue in a public repository owned by an organization that runs a vulnerable workflow, then waited.







