Researchers Flag Prompt Injection Flaw in GitHub Agentic Workflows
Security researchers at Noma Labs have identified a critical prompt injection weakness in GitHub Agentic Workflows that could let an unauthenticated attacker expose data from private repositories. The...
Security researchers at Noma Labs have identified a critical prompt injection weakness in GitHub Agentic Workflows that could let an unauthenticated attacker expose data from private repositories. The issue, dubbed GitLost, shows how a maliciously crafted public GitHub Issue can influence an AI-powered workflow into carrying out unintended actions.
GitHub Agentic Workflows lets teams define automations in markdown, with an AI agent interpreting those instructions and interacting with repositories through GitHub Actions. According to Noma Labs, one tested workflow was set to react to issues.assigned events, read the issue’s title and body, and post a reply. Because the workflow had access to both public and private repositories in the organization, the researchers say it could be abused to retrieve sensitive information.
In the proof-of-concept described by the company, an attacker needed only to create an issue in a public repository and wait for the workflow to process it. Noma Labs said it was able to craft a message that appeared to come from sales leadership and persuade the agent to gather the contents of Readme.md files from public and private repositories before publishing the results as a public comment.
GitHub has implemented protections intended to reduce prompt injection risk, but the researchers reported that those controls were bypassed during testing. They said the behavior was eventually triggered after trying several variants, including one that added the word “additionally.”
Why the finding matters
Noma Labs said the flaw highlights a broader security challenge for agentic AI systems: any content the agent consumes can become part of the attack surface if it is treated as trusted instruction rather than untrusted input. The company compared indirect prompt injection to SQL injection in traditional web applications, arguing that it requires layered defenses rather than isolated safeguards.
- Treat all user-generated content as untrusted input.
- Limit agent permissions to the minimum necessary.
- Restrict what AI systems can publish publicly.
- Sanitize content before passing it to agentic workflows.
The issue was responsibly disclosed to GitHub. Noma Labs said organizations using agentic workflows should assume that issues, pull requests, comments, and repository files can all be manipulated if they are used as instructions for AI agents.
