Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

https://thehackernews.com/2026/07/public-github-issue-could-trick-github.html

Publish Date: 2026-07-07 10:04:00

Source Domain: thehackernews.com

A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization’s private repositories, researchers at Noma Security have shown.

The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access to the organization. If that organization has given the agent read access across its repositories, private ones included, the issue can steer it into pulling private contents into a public comment.

Noma calls the technique GitLost. The target is GitHub Agentic Workflows, a feature now in public preview that GitHub launched in February. Instead of writing automation scripts, you write instructions to an AI agent in plain English in a Markdown file. The agent reads issues and pull requests, runs tools, and replies on its own.

It can be powered by GitHub Copilot, Anthropic’s Claude, Google Gemini, or OpenAI Codex. Workflows are read-only by default, but an organization can hand one a token with read access across its repositories to give it cross-repo context, private ones included.

That grant is the setup GitLost turns against it.

How the trick works

The weakness is a well-known one: indirect prompt injection. An AI agent cannot reliably tell the difference between instructions from its owner and instructions hidden inside the content it happens to read. So if an attacker writes those instructions into an issue, the agent may simply follow them.

In Noma’s proof of concept, the malicious issue was dressed up as a routine request from a VP of Sales after a customer meeting. The workflow it hit was set to wake up when an issue is assigned, read the issue, and reply with a comment. It also had read access to the organization’s other repos.

Once a routine automation assigned the issue, the agent pulled a private repository’s README and pasted it into a public comment on the issue.

GitHub built guardrails to stop exactly this. In its own documentation, the company warns that “AI…

Source