Security · 1h ago
GitHub AI agent leaks private repos via prompt injection in public issues
Noma Labs researchers tricked GitHub's Agentic Workflows into reading and posting private repository contents as a public comment. The attack used a crafted issue with hidden instructions, bypassing guardrails with a single keyword. This demonstrates a systemic vulnerability class similar to SQL injection for agentic AI.
Meridian48 take
The finding underscores a fundamental trust boundary flaw in agentic systems: models cannot distinguish operator instructions from user-controlled content, making prompt injection a structural security challenge.
Read the full reporting
GitHub's AI agent can be tricked into leaking private repos via a public Issue →
DEV Community
prompt-injectiongithub-actions