Press TechRound interviews Secure.com CEO on the future of AI security
Read

GitLost: A Fake GitHub Issue Can Trick AI Agents Into Leaking Your Private Code

GitLost tricks GitHub AI agents into leaking private repo data through a public issue. Here is how the attack works and how to stop it.

Dateline: July 8, 2026

Your GitHub Agent Has the Keys, and GitLost Knows How to Ask

A researcher opened a normal looking GitHub issue. Minutes later, a company’s private repository showed up in a public comment for anyone to read.

No password. No stolen account. No malware. Just a few sentences written in plain English.

That is GitLost, and it turns a helpful AI feature into a quiet leak.

What Happened?

Researchers at Noma Labs disclosed GitLost on July 6, 2026. It targets GitHub Agentic Workflows, a feature launched in February that is still in public preview.

The feature lets teams write automation in plain Markdown instead of code. An AI agent, powered by Claude or GitHub Copilot, then reads issues, runs tools, and posts replies on its own.

Here is where it breaks. Many teams give that agent read access across all their repositories, private ones included, so it has more context to work with.

Noma built a proof of concept around that setup. They posted a public issue dressed up as a routine request from a VP of Sales after a customer meeting. Hidden in the body were plain English commands for the agent.

Once an automation assigned the issue, the agent read the hidden instructions, pulled a private repository’s README, and pasted it into a public comment.

The root cause is indirect prompt injection. An AI agent cannot reliably tell the difference between instructions from its owner and instructions buried in the content it reads. So the attacker just writes the orders into the issue and waits.

GitHub did build guardrails for this, including read only tokens by default and a step that scans the agent’s output before it posts. Noma found that a one word change slipped right past. Prefixing the malicious instruction with “Additionally” made the model treat it as a follow on task instead of something to refuse.

What’s the Impact?

Any GitHub account can open an issue on a public repository. So the barrier for an attacker is close to zero.

What they can steal depends on what the agent’s token can see. That could mean source code, API keys, design documents, or CI/CD secrets.

As Noma’s Sasi Levi framed it, earlier prompt injection tricks changed what an agent said. GitLost changes what an agent does with its permissions.

The uncomfortable part is that this is not a simple bug to patch. It is a structural problem with giving AI agents standing credentials while feeding them text that attackers can reach.

How to Avoid This

  • Scope the token to the single repository the workflow triages. Do not hand it organization wide read access for convenience.
  • Keep agents that read untrusted public input away from agents that touch private data.
  • Limit what a public facing workflow can post, since that comment is the exfiltration channel.
  • Treat every issue, pull request, and comment as hostile input, not trusted instruction.
  • For sensitive actions, add a human approval gate before the agent posts anything public.

Your AI Agents Inherit Every Permission You Forget to Revoke

GitLost is not really about GitHub. It is about what happens when an autonomous agent holds broad credentials and reads text an attacker controls. Secure.com helps you close that gap before it becomes a leak.

  • Map the full blast radius of every agent, including which repositories and secrets its tokens can reach
  • Flag over scoped access and cross repository permissions that public facing workflows should never hold
  • Catch prompt injection paths where untrusted input meets private data and a public output channel
  • Add human approval gates on sensitive agent actions like posting comments or moving data across trust boundaries
  • Monitor agent behavior in real time so silent exfiltration does not go unnoticed