GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos
5 hours ago
- #AI Security
- #Prompt Injection
- #GitHub Vulnerability
- Noma Labs discovered GitLost, a critical prompt injection vulnerability in GitHub's new Agentic Workflows.
- Exploit allows an unauthenticated attacker to exfiltrate data from private repositories by posting a crafted issue in a public repository of the same organization.
- The GitHub AI agent, triggered by workflow events, treats malicious instructions hidden in issue content as trusted commands.
- Attackers can leverage keywords like 'Additionally' to bypass GitHub's guardrails and leak private data.
- Leaked data was posted as a public comment, making it accessible to anyone.
- Vulnerability highlights fundamental security challenges in agentic AI systems where the context window becomes an attack surface.
- Recommendations include not trusting user-controlled content, scoping permissions minimally, and isolating user input from instruction context.