saas · TheHackerNews
Researchers at Noma Security have demonstrated a prompt injection vulnerability in GitHub Agentic Workflows, a feature in public preview. An attacker can craft a seemingly routine issue on a public repository to trick an AI agent into leaking contents from an organization's private repositories, provided the agent has been granted read access across repos. The technique, called GitLost, exploits the agent's inability to distinguish between legitimate instructions and malicious directives hidden in issue text. Noma's proof of concept showed that adding the word "Additionally" to a malicious instruction was sufficient to bypass GitHub's built-in guardrails, allowing the agent to extract and post a private README to a public comment.
This vulnerability is particularly significant for defense contractors and SaaS organizations using GitHub Agentic Workflows to automate repository management. Defense contractors handling CUI or sensitive technical data should audit whether agents have cross-repository read tokens and restrict agent permissions to only necessary repositories. SaaS teams operating under SOC2 Type II should review their AI agent configurations to ensure agents cannot be manipulated to exfiltrate private code, credentials, or design documentation via public-facing channels. The underlying issue is structural rather than patchable: agents with standing credentials reading untrusted external content create an inherent leak risk. An Omniware engagement can help scope agent permissions, implement input sanitization strategies, and establish detection controls aligned with your compliance posture.
Source: The Hacker News - https://thehackernews.com/2026/07/public-github-issue-could-trick-github.html
Source: TheHackerNews
All briefings