Public GitHub Issue Demonstration Shows Risk of Private Data Exposure in Agentic Workflows

Researchers at Noma Security say a public GitHub issue can be used to manipulate GitHub Agentic Workflows into exposing data from private repositories, highlighting a new class of risks tied to AI-dri...

Researchers at Noma Security say a public GitHub issue can be used to manipulate GitHub Agentic Workflows into exposing data from private repositories, highlighting a new class of risks tied to AI-driven development tools.

The attack, which Noma calls GitLost, does not require stolen credentials or access to an organization’s internal systems. Instead, an attacker can open an ordinary-looking issue on a public repository and include instructions designed to influence the AI agent handling it. If the organization has granted that agent read access across multiple repositories, including private ones, the workflow may retrieve sensitive content and place it into a public reply.

GitHub Agentic Workflows, currently in public preview, lets teams define automation in plain language. The agent can read issues and pull requests, run tools, and respond automatically. It can also be powered by systems such as GitHub Copilot, Anthropic Claude, Google Gemini, or OpenAI Codex. By default the feature is read-only, but organizations can extend its access with tokens that span several repositories.

According to Noma, the weakness is a form of indirect prompt injection: the model may treat attacker-written text as instructions rather than untrusted data. In the proof of concept, a workflow that reacted to assigned issues was persuaded to read a private repository’s README and post it publicly. The researchers said even a small wording change was enough to get past the product’s built-in safety checks in their test.

GitHub has already warned that AI agents can be influenced by malicious content and compromised tools, and its platform includes sandboxing, input cleaning, and output scanning before posts are published. Still, researchers say the broader issue is structural when an agent can read private data, process untrusted public text, and publish results.

Why it matters

  • Organizations using broad repository-wide read access face the highest exposure.
  • Potential leaks may include source code, internal documents, keys, or CI/CD secrets.
  • Security experts recommend scoping tokens narrowly, limiting who can trigger workflows, and requiring human review for public-facing outputs.

Noma disclosed the issue to GitHub and published its findings with the company’s knowledge. The case adds to a growing list of similar prompt-injection demonstrations across AI coding and GitHub-integrated tools.