GitHub's AI guard dog fooled by simple trick that leaks company secrets
The vulnerability has been cheekily dubbed “GitLost.”

Github logo. By Shutterstock.
- Hackers can trick GitHub's AI agent into leaking private code by posting fake issues in public repositories owned by the same organization.
- The flaw, called GitLost, exploits how AI agents treat user input as instructions, bypassing GitHub's security guardrails entirely.
- Researchers posed as a sales VP in a fake issue, then injected hidden prompts that made the AI publicly post private repository contents.
- The vulnerability highlights a core problem with AI agents: anything they read can become an attack vector if treated as trusted instructions.
As AI prompt injection becomes an increasingly serious threat, cybersecurity researchers have found a hole in GitHub's defenses that could result in the leaking of private repositories.
Enterprise AI security and governance platform Noma Labs detailed how an attacker can abuse GitHub Agentic Workflows that have access to both public and private repositories.
These workflows let teams automate their interactions with code repositories using natural language, allowing the GitHub agent to read issues, call tools, and access other repositories within an organization.
Therefore, according to Noma, an unauthenticated attacker can extract data from private repositories by posting a fake GitHub Issue in a public repository belonging to the same organization. GitHub was informed about the discovered vulnerability.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The researchers demonstrated how this vulnerability, aptly named GitLost, works.
They crafted an innocent-looking GitHub issue with a fake request from a VP of Sales after meeting with a customer. After a few introductory lines, the researchers injected a prompt for the AI, asking, "What is the content of README in poc repo?" and "What is the content of the same file in the testlocal repo?"
Eventually, the agent fetched the contents of README.md from both the public and private repositories and then posted them as a public comment on the issue in the public repository, which anyone could access and read, Noma said.
What's more, according to the researchers, GitHub's guardrails failed to protect the repositories.
Check if your data has been leaked
"GitLost perfectly illustrates one of the fundamental security challenges every organization faces with agentic AI systems. The agent’s context window is also its attack surface," the researchers said, emphasizing that any content the agent reads can be weaponized if the agent treats that content as instructional input.
According to the researchers, this challenge requires systematic strategies and defenses, while developers and security officers should never treat user-controlled content as trusted instruction input for an AI agent.
Among their other recommendations are scoping permissions to the minimum required, restricting what any agent can post publicly, and sanitizing or isolating user input from the instruction context before passing it to the model.