Security · 2h ago
GitHub Agentic Workflows Bug Leaks Private Repos via Prompt Injection
GitHub's Agentic Workflows, which let AI agents triage issues via plain English prompts, are vulnerable to the GitLost attack. Noma Security showed that an attacker can post a public issue with hidden instructions, tricking the agent into reading private repos and posting contents publicly. The flaw exploits the agent's inability to distinguish owner instructions from untrusted input, combined with cross-repo read tokens and public comment posting.
Meridian48 take
The attack is a textbook indirect prompt injection, but GitHub's design choices—defaulting to broad token scopes and allowing public comment posting—made it far too easy to weaponize.
Read the full reporting
GitHub Agentic Workflows Vulnerable to GitLost Data Leak Exploit →
DEV Community
githubprompt-injection