GitLost: Public Issue Can Exfiltrate Private GitHub Data
🔒 Researchers at Noma Security demonstrated that a crafted public GitHub issue can manipulate GitHub Agentic Workflows into exposing private repository contents. The attack, named GitLost, exploits indirect prompt injection to trick an agent with organization-wide read access into pulling private data and posting it publicly. GitHub's preview feature for agentic workflows includes guardrails, but Noma showed a minor wording change can bypass them. The core problem is architectural: agents with standing credentials that read untrusted input and can post outward create persistent leakage risk.
