{"id":4523,"date":"2026-07-08T07:44:47","date_gmt":"2026-07-08T07:44:47","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/08\/gitlost-flaw-lets-attackers-trick-github-ai-agent-into-leaking-private-repos\/"},"modified":"2026-07-08T07:44:47","modified_gmt":"2026-07-08T07:44:47","slug":"gitlost-flaw-lets-attackers-trick-github-ai-agent-into-leaking-private-repos","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/08\/gitlost-flaw-lets-attackers-trick-github-ai-agent-into-leaking-private-repos\/","title":{"rendered":"\u2018GitLost\u2019 Flaw Lets Attackers Trick GitHub AI Agent Into Leaking Private Repos"},"content":{"rendered":"<div><img data-opt-id=146953090  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/Untitled-design-2026-07-08T090516.587.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=1832864700  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/Untitled-design-2026-07-08T090516.587-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p>A security flaw in GitHub\u2019s <a href=\"https:\/\/devops.com\/github-tests-ai-agents-to-handle-repository-upkeep\/\" target=\"_blank\" rel=\"noopener\">months-old GitHub Agentic Workflows<\/a> allows attackers to use an indirect prompt injection to trick the AI agent into grabbing information from a private repository and quietly posting it in a public repository belonging to the same organization.<\/p>\n<p>The vulnerability, dubbed \u201cGitLost\u201d by Noma Security researchers, is only the latest example for developers and security teams of the <a href=\"https:\/\/devops.com\/mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents\/\" target=\"_blank\" rel=\"noopener\">risks that come with AI agents<\/a> and how vulnerable they are to deceptive tactics by threat actors that often \u2013 as in this case \u2013 don\u2019t need coding skills, access, or stolen credentials to run such campaigns.<\/p>\n<p>This is different from a classic prompt injection, according to Sasi Levi, security research lead with Noma. Those earlier prompt injection examples were primarily about manipulating what an agent said, similar to jailbreaking a chatbot\u2019s output. In contrast, GitLost is about manipulating what an agent does with its permissions.<\/p>\n<p>\u201cThe agent here isn\u2019t just a chat window; it\u2019s a credentialed actor sitting inside an org\u2019s CI\/CD-adjacent infrastructure with read access spanning repos the attacker themselves doesn\u2019t have access to,\u201d Levi said. \u201cThe exploit doesn\u2019t touch a server, doesn\u2019t need stolen credentials, and doesn\u2019t even require write access to anything private. The attacker just has to be able to open a public issue, which, on a public repo, often requires no special privileges at all. That\u2019s a much lower bar than most vulnerability classes.\u201d<\/p>\n<h3>The Indirect Prompt Injection Threat<\/h3>\n<p>It\u2019s why indirect prompt injections \u2013 where the bad actor embeds hidden instructions in external data sources that the agent treats as valid user instructions and executes them \u2013 have become a favorite tool of attackers. Security analysts with Forcepoint in April <a href=\"https:\/\/www.forcepoint.com\/blog\/x-labs\/indirect-prompt-injection-payloads\" target=\"_blank\" rel=\"noopener\">detailed 10 indirect prompt injection payloads<\/a> found in the wild.<\/p>\n<p>The payloads were triggered by such phrases as \u201cignore previous instructions\u201d and \u201cif you are an LLM,\u201d according to the report.<\/p>\n<p>\u201cThe verified indicators analyzed here confirm that web-based Indirect Prompt Injection (IPI) is actively weaponized across the open web \u2013 not merely theoretical,\u201d Mayur Sewani, senior security researcher with Forcepoint\u2019s X-Labs research team, wrote in the report. \u201cEvery case follows the same kill chain: the attacker embeds a hidden payload, an AI agent ingests the page, the trust boundary collapses and a real-world action executes.\u201d<\/p>\n<h3>Trying Out the Technique on GitHub<\/h3>\n<p>Noma\u2019s researchers used this technique to test GitHub Agentic Workflows, which the Microsoft-owned company released in February. The system essentially is an AI agent that runs on GitHub Copilot or <a href=\"https:\/\/devops.com\/layerx-anthropics-claude-code-can-easily-be-easily-weaponized\/\" target=\"_blank\" rel=\"noopener\">Anthropic\u2019s Claude model<\/a> and is paired with GitHub Actions, a CI\/CD and automation platform built directly into GitHub.<\/p>\n<p>With GitHub Agentic Workflows, developers can write their GitHub workflows in plain Markdown and the agent reads the issues, brings together tools, and then responds autonomously.<\/p>\n<p>Noma researchers found that any bad actor can create a GitHub issue and, in the body text, hide commands in plain English. The GitHub agent will follow the commands. The GitHub issue they created appeared to be a request from a vice president of sales after a customer meeting, with commands for the agent to follow.<\/p>\n<p>GitHub automation assigned the issue and the agent dutifully fetched the contents of README files from both public repositories and a private one, then posted the files as a public comment in a public repository that anyone could access.<\/p>\n<h3>\u2018Additionally\u2019 Was a Key<\/h3>\n<p>In some ways, it came down to one word. The researchers tested GitHub with multiple variations of the instructions to get around guardrails the company had put in place for the agent. In one command, adding the keyword \u201cadditionally\u201d did the trick, triggering the model to bypass its guardrails and run the instruction rather than refuse it.<\/p>\n<p>The problem is a mismatch between where the agent\u2019s permissions live and where its inputs come from, Levi said. If an agent is given identity read access across multiple repositories \u2013 including private ones \u2013 for cross-repository context, but also processes untrusted text from a public repository, it combines broad access with an open input channel and a built-in publishing mechanism, which is the comment itself.<\/p>\n<p>\u201cThat combination is sometimes called the \u2018lethal trifecta,\u2019\u201d he said, \u201caccess to sensitive data, exposure to untrusted content, and an available exfiltration path.\u201d<\/p>\n<h3>\u2018A Dangerous Paradigm Shift\u2019<\/h3>\n<p>Ram Varadarajan, CEO of Acalvio, said GitLost shows that a single, well-placed keyword \u2013 \u201cadditionally\u201d \u2013 can trick an AI agent into silently leaking an organization\u2019s private repository onto the open web.<\/p>\n<p>\u201cFor cybersecurity leaders, this marks a dangerous paradigm shift, where an AI\u2019s context window doubles as its attack surface, allowing unauthenticated bad actors with zero technical skill to weaponize routine automation,\u201d Varadarajan said. \u201cTo plug this hole, security teams must immediately revoke broad cross-repository permissions and treat all user-generated content as hostile instruction rather than trusted input.\u201d<\/p>\n<p>He added that \u201ccrucially, what\u2019s also highlighted is that AI agents are an exploding attack surface. Multi-layered defenses are the need of the hour. And given the LLM-driven vulnerability, we also need to focus on model-aware defenses that act in real-time. It\u2019s the new era of bot-on-bot cyber-defense.\u201d<\/p>\n<p><a href=\"https:\/\/devops.com\/gitlost-flaw-lets-attackers-trick-github-ai-agent-into-leaking-private-repos\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>A security flaw in GitHub\u2019s months-old GitHub Agentic Workflows allows attackers to use an indirect prompt injection to trick the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4524,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4523"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4523\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4524"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}