Per usual, there's no fix - or even any documentation - for GitLost

Malicious prompters could easily trick GitHub agents into pulling data from private repositories and then leaking the information as a public comment for anyone to access, according to Noma Labs researchers who named the vulnerability GitLost.The issue exists in GitHub’s Agentic Workflows, which allow an AI agent powered by Claude or GitHub Copilot to autonomously execute tasks in GitHub Actions. As the AI security sleuths discovered and detailed in a Monday blog, the workflows are vulnerable to a critical prompt injection flaw that causes GitHub’s AI agent to retrieve data from a private repo by crafting a GitHub issue in a public repository belonging to the same organization.

The attacker simply hides the malicious commands in plain English in the issue body, and the agent will then post this data as a public comment on the issue in the public repository.

“To exploit this vulnerability, the attacker needed no coding skills, access, or credentials,” Noma Security research lead Sasi Levi wrote. “All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub’s Agentic Workflow setup and wait.”And, as is the case with most prompt-injection issues plaguing AI agents and systems, the vulnerability can’t be completely fixed in code. So the Noma researchers proposed documentation instead - but that didn’t happen, either. “The proposed fix was a documentation callout encouraging users to adopt different strategies to their API key sharing between their repos,” Levi told The Register. Still, Levi admitted: “Not all orgs would see the fix, or think it might be an issue.”As of Tuesday, GitHub had not implemented any such documentation. The Register reached out to the Microsoft-owned platform for comment and did not receive any response to our inquiries. Noma Labs disclosed the issue to GitHub, and told us that the code-hosting platform was aware of the researchers’ plans to post the details of GitLost. The AI threat hunters also published their workflow reproductions and proof-of-concept attack flow for transparency into their findings.