Hook
A public GitHub issue, a hidden instruction, and one word changed in a prompt was enough to get an AI agent to leak private repo data. No stolen credentials required. If that doesn't make you nervous about what you've plugged into your CI pipeline, it should.
Context
This isn't a new category of bug — it's the oldest bug in the book wearing a new costume. Confused deputy problems have existed as long as we've had systems that act on behalf of users with elevated permissions. What's new is the blast radius. GitHub Agentic Workflows, powered by whichever LLM you've bolted on, inherit standing cross-repo read permissions to do their job — triage issues, review PRs, whatever the pitch deck promised. The GitLost technique just points out the obvious: if an agent can read a public issue and also has standing access to private repos, and it can't reliably tell the difference between "user instruction" and "arbitrary text I happened to ingest," you've built a very efficient exfiltration pipeline. Prompt injection via untrusted content has been demonstrated against chatbots, browser agents, and email assistants for two years now. This is just the GitHub-flavored version, and it was probably inevitable the moment "agent with standing permissions" met "public issue tracker."










