Public GitHub Issue Could Cheat GitHub Workflows Leaking Private Repo Data

A social problem can be tricky GitHub Agetic Workflows by leaking the contents of the organization’s private sources, Noma Security researchers have shown.
An attacker only needs to open a seemingly normal issue in a public repository, with no stolen credentials and no access to the organization. If that organization gave an agent read access to all of its repositories, private, entries, the problem could be directed at pulling private content into public comment.
Noma calls the trick GitLost. The target is GitHub Agetic Workflows, a feature now in public preview that GitHub launched in February. Instead of writing automation scripts, you write to the AI agent in plain English in a Markdown file. The agent reads problems and pulls requests, implements tools, and responds automatically.
It can be powered by GitHub Copilot, Anthropic’s Claude, Google Gemini, or OpenAI Codex. Workflows are read-only by default, but an organization can assign a single token with read access to all of its repositories to give them cross-repo context, including private ones.
That grant is a setup that GitLost is against.
How the trick works
Weaknesses are well known: indirect rapid injection. An AI agent cannot reliably tell the difference between instructions from its owner and instructions hidden within the content it reads. So if an attacker writes those instructions in an issue, the agent might just follow them.
In Noma’s proof of concept, the brutal issue was dressed up as a routine request from the VP of Sales after a customer meeting. The workflow it discovered was programmed to wake up when an issue is assigned, read the issue, and respond with comments. It also had access to learning in other residential areas of the organization.
When the automation provided the issue, the agent pulled the README of the secret repository and attached it to the public comments about the issue.
GitHub is building guardrails to stop this exactly. In its documentation, the company warns that “AI agents can be fooled by rapid injection, malicious cache, or malicious tools,” and the product is shipped with sandboxing, automatic read-only tokens, input sanitization, and a threat detection step that scans what the agent is proposing before it’s shipped.

Noma reported that in its tests, a single word change was enough to pass. It includes a prediction of the cruel discipline as “In addition” led the model to treat it as a follow-up activity, not something to reject, and the monitor let it pass.
Why is this one different?
What makes GitLost different is what the attacker gets to control. “Previous injection examples were about spoofing the agent,” Sasi Levi, Security Research Lead at Noma Security, told The Hacker News. “GitLost is about manipulating what an agent does with its permissions.”
The agent here, he said, is not a chat window but an authenticated actor sitting within the organization’s infrastructure close to CI/CD, with learning access that includes areas where an attacker cannot see them. It doesn’t touch the server, doesn’t need stolen information, and doesn’t need write access to anything private. The attacker should only open a public issue.

The setup fits what developer Simon Willison called the “lethal trifecta”, and Levi uses the same term: an agent that can access private data, that takes untrusted external content, and has a way to export data. Combine all three, and you’ve got a recipe for a leak.
This is not the type of bug the patch covers; since Levi is independent, it is a structural consequence of giving AI agents static credentials while making them read text accessible to an attacker.
Why does this keep happening
GitLost is the latest in a similar type of attack, and THN has reported several in recent months. A flaw in Anthropic’s Claude Code GitHub Action allows a single malicious issue to run an agent in a leaky encryption and seize write access to a repository.
Orca Security’s RoguePilot used information hidden in a GitHub issue to make Copilot leak a privileged token from the repository. A version of the GitHub-agent problem goes back to at least May 2025, when Invariant Labs showed that a public problem could push an agent connected to GitHub’s MCP server to read a private repo and reward it with a pull request; the researchers called it architectural, without a server-side patch to close it.
A multi-vendor study called Comment and Control then tricked agents of Claude Code, Gemini CLI, and GitHub Copilot into awarding their API keys with an extract and pull script, bypassing GitHub’s added protection at runtime.
What you have to do now
Noma exposed GitLost on GitHub and published his findings with the company’s information. Exposure is limited to organizations that have enabled previewing and wired an agent to read untrusted public comments while holding read access to private repositories and able to post publicly.
What an attacker can extract depends on what the agent token can see, from proprietary source code to internal keys, design documentation, or CI/CD secrets. As Levi puts it, scope is what matters most: an agent token accessed from a single check point is “much less dangerous than getting org-wide read access” for convenience.
Essentially, that cross-repo access comes from a personal access token that the organization sets up, so the access token is in one place where the workflow is processed rather than the entire organization. Writing only flows to results that are declared safe, so limit what the public-facing workflow can send, because the comments you output are a filter channel. Limit which author’s content the agent will act on, and enter your results after human review.
GitHub’s threat detection initiative scans the agent’s output before it sends it, but passing one word of Noma is a reminder that the filter is at the back, not the front.
GitHub, like other vendors, built guardrails for this type of attack, and a single name change bypassed them. Researchers and marketers themselves continue to put the result under “architectural limitations,” and Levi’s point is why the label sticks: in natural language, there is no clean line between data and instruction as there is in SQL, so the correction depends on the design rather than filter injection away, isolation, limited credentials, and planned updates.
Until that boundary is in place, any agent that reads private data, provides untrusted input, and can send it publicly is one smartly written story away from a leak.



