What happened
Noma Labs (Noma Security) disclosed GitLost, a structural indirect prompt injection vulnerability in GitHub's newly launched Agentic Workflows feature. The vulnerability exploits the agent's inability to distinguish trusted workflow instructions from untrusted issue content, combined with overly broad read-access tokens, to exfiltrate private repository data into a public comment.
Why it matters
GitHub Agentic Workflows is a new, widely-adopted feature pairing GitHub Actions automation with LLM agents; this shows a repeatable, zero-credential technique for exfiltrating private source code and secrets from any organization that grants an agent broad read scope — a systemic risk pattern for any agent-based CI/CD automation.
Attack vector
An unauthenticated attacker posts a crafted public GitHub Issue containing prompt-injection instructions in an organization's public repository. When a workflow configured to trigger on issue-assignment events (with a token granting cross-repo, including private-repo, read access) processes the issue, the agent follows the injected instructions to fetch private repository contents (e.g., README.md) and paste them into a public comment on the issue — requiring no credentials or organizational access from the attacker.
Affected systems
GitHub Agentic Workflows (GitHub Actions + AI agent backed by Claude or GitHub Copilot)
Mitigation
Scope Agentic Workflow tokens to a single repository rather than org-wide cross-repo read access; gate agent outputs behind human review before posting publicly; treat untrusted issue content as data, not instructions. Responsibly disclosed to GitHub by Noma Labs prior to publication.