Overview
- Noma Labs disclosed GitLost and posted proof-of-concept materials after showing that a crafted public issue caused an Agentic Workflows agent to read README files from private repositories and publish them as a public comment.
- Researchers demonstrated the main exploit in early July, with the published test runs showing the attack required no credentials and only the creation of a normal-looking issue on a public repo.
- GitHub’s runtime guardrails were bypassed in testing when a one-word variation, “Additionally,” caused the agent to reframe its output and let the private content through into a public comment.
- The exposure affects organizations that enabled the Agentic Workflows preview, granted an agent broad cross-repository read tokens, and allowed the agent to post publicly, and Noma and others advise narrowing tokens, separating read and post steps, adding human review, and logging agent calls.
- Security teams say GitLost is an example of a recurring architectural class of risk for agentic AI that requires redesign of permissions and workflows rather than relying on filter-based fixes, and teams should treat any user-controlled text the agent reads as hostile input.