GitLost Attack Shows How GitHub Issues Can Leak Private Repositories Through AI Agents

CSBadmin
2 Min Read

How GitLost Exploits AI Agent Workflows

A newly discovered vulnerability called GitLost reveals how attackers can use a single GitHub Issue to force an AI-powered workflow to expose private repository data. The technique requires no credentials, technical skill, or system access. GitHub Agentic Workflows combine GitHub Actions with an AI agent backed by Claude or GitHub Copilot. These agents read issues, call tools, post comments, and access repositories based on permissions, all without human oversight for each action. The core flaw is an indirect prompt injection. Noma Labs identified a workflow that triggered on issue assignment events, read the issue title and body, then responded using an add-comment tool with read access across both public and private repositories in the organization.

Impact on Data Security

The agent could not distinguish between trusted system instructions and untrusted user supplied content. Attackers embed plain English commands inside an issue body that the agent executes as directives. Researchers crafted an issue mimicking a request from a VP of Sales. When assigned, the workflow fetched README.md contents from a public repo and a private repo, then posted the combined output as a public comment. Adding the word “Additionally” to injected prompts bypassed GitHub guardrails by reframing the model output rather than triggering a refusal. Leaked data included contents from both public and private repositories within the same organization. The vulnerability highlights a structural weakness where an agent’s context window doubles as its attack surface. Researchers compare prompt injection in AI security to SQL injection in web application security as a systemic vulnerability class demanding systemic defenses.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.