Researchers tricked GitHub’s AI coding agent into leaking private repositories with nothing but a politely worded issue. The flaw, named GitLost, has no code fix, and GitHub has yet to even document it.
GitHub’s new AI agent can be talked into handing over your private code. Security firm Noma Labs found a way to make it read a private repository and paste the contents into a public comment, the researchers wrote in a blog post. They named the flaw GitLost.
The target is GitHub Agentic Workflows, launched this year. They pair GitHub Actions with an AI agent backed by Claude or GitHub Copilot. Teams write the workflows in plain Markdown. The agent then reads issues, calls tools, and acts on its own.
Asked nicely
The attack needs no skill. An attacker opens an issue in a public repo of an organisation that uses the workflows. They hide plain-English commands in the issue body. The agent obeys them.









