Particle.news

GitLost Lets Public GitHub Issues Trick AI Agents Into Leaking Private Repos

Noma Labs published a proof of concept showing a crafted public issue can make a GitHub Agentic Workflows agent fetch private files and post them publicly.

Overview

  • Noma Labs disclosed GitLost and posted proof-of-concept materials after showing that a crafted public issue caused an Agentic Workflows agent to read README files from private repositories and publish them as a public comment.
  • Researchers demonstrated the main exploit in early July, with the published test runs showing the attack required no credentials and only the creation of a normal-looking issue on a public repo.
  • GitHub’s runtime guardrails were bypassed in testing when a one-word variation, “Additionally,” caused the agent to reframe its output and let the private content through into a public comment.
  • The exposure affects organizations that enabled the Agentic Workflows preview, granted an agent broad cross-repository read tokens, and allowed the agent to post publicly, and Noma and others advise narrowing tokens, separating read and post steps, adding human review, and logging agent calls.
  • Security teams say GitLost is an example of a recurring architectural class of risk for agentic AI that requires redesign of permissions and workflows rather than relying on filter-based fixes, and teams should treat any user-controlled text the agent reads as hostile input.