GitHub AI workflow flaw can expose private repository data, researchers say

Security researchers at Noma Labs say they have uncovered a prompt-injection weakness in GitHub’s Agentic Workflows that can be abused to pull information from private repositories and post it publicl...

Security researchers at Noma Labs say they have uncovered a prompt-injection weakness in GitHub’s Agentic Workflows that can be abused to pull information from private repositories and post it publicly. The researchers nicknamed the issue GitLost.

GitHub’s Agentic Workflows let an AI agent, powered by systems such as Claude or GitHub Copilot, carry out tasks automatically inside GitHub Actions. According to the researchers, an attacker can exploit this setup by opening an issue in a public repository that belongs to the same organization as a private repo. If the issue contains carefully worded instructions, the agent may follow them, fetch data from the private repository, and then publish the material in a public comment on the issue.

How the attack works

The researchers said the attack does not require code execution, credentials, or access to the target organization’s internal systems. In their demonstration, they created a believable public issue and embedded the malicious request as if it were a routine business message. Once automation assigned the issue and triggered the workflow, the AI agent retrieved README files from both a public proof-of-concept repository and a private test repository, then exposed the private content in a comment visible to anyone.

Noma Security said the flaw is especially relevant to enterprises that connect both public and private repositories to the same GitHub organization. The concern is not only direct data leakage, but also the difficulty of predicting what connected systems an autonomous agent can reach once it begins acting on its own.

  • The researchers reported the issue to GitHub.
  • They said the problem is difficult to solve entirely in code because it stems from prompt injection behavior.
  • Noma proposed additional documentation and clearer guidance for organizations, but said that approach had not yet been added.

GitHub had not publicly commented at the time of the report. The findings highlight a broader risk facing organizations that adopt autonomous AI tools: if permissions and data paths are not tightly controlled, an assistant meant to automate work can also become a channel for silent data exposure.