GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos
- AI
- Security
- Developer Tools
- Open Source
The post describes a prompt injection against GitHub Agentic Workflows. Noma set up a workflow that read public issue text, had permission to read other repos in the organization including private ones, and could post a public reply. With that configuration, they got the agent to pull code from a private repo and publish it into a public comment. People largely agreed the exploit itself is unsurprising. If you let an LLM ingest untrusted public input, touch sensitive data, and write to a public channel, you have built an exfiltration path. What people zeroed in on was where the failure actually sits. Many rejected the article’s comparison to SQL injection as too optimistic. SQL injection became broadly manageable once code and data were cleanly separated with parameter binding. Prompt injection is harder because natural language is the instruction medium. There is no equivalent prepared statement for a general-purpose agent today.
Treat any AI agent as an untrusted operator with whatever permissions and output channels you gave it. If you are deploying agents against code, tighten scopes to the active repo or user, block risky public write paths, and assume prompt-level guardrails will fail.
-
noma.security
- Discuss on HN