• Category: Security
  • Status: confirmed
  • Sources: Noma Security writeup, HN discussion
  • Summary: Noma Security published on 2026-07-08 an account of a prompt-injection attack, called GitLost, against GitHub Agentic Workflows, the feature that pairs GitHub Actions with Copilot or Claude agents driven by natural-language Markdown files. An attacker files an issue in a public repository of an organization that uses the workflows, hiding instructions in the issue text. When the workflow runs on an event such as issue assignment, the agent treats the issue content as trusted instructions, reads private repository contents such as README files, and posts them as a public comment on the attacker's issue. The researchers bypassed output guardrails by reframing the leak with the word "Additionally." The attack needs no credentials or code, only the ability to open an issue. Noma says it disclosed the issue to GitHub before publishing.
  • Comments: HN commenters note the writeup gives no fix date and question whether the guardrail bypass can recur through different phrasings, and argue that an LLM with private-data access answering public prompts is inherently unsafe.
  • Why it matters: Any organization that enabled GitHub Agentic Workflows with cross-repository read access exposed private code to unauthenticated attackers through public issues.

Send feedback on this story