GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos(noma.security)
521 points by ColinEberhardt 1 day ago | 196 comments
tl;dr: Noma Labs found a prompt injection flaw ("GitLost") in GitHub's new Agentic Workflows: an attacker can file a GitHub Issue in a public repo containing hidden instructions, which the AI agent obediently executes—including reading private repos in the same org and posting their contents as a public comment. GitHub's guardrails were bypassed by prepending "Additionally" to the injected commands, causing the model to reframe rather than refuse the request. The vulnerability was responsibly disclosed and highlights that any content an agent reads becomes part of its attack surface.
HN Discussion:
  • Not a GitHub vulnerability; it's user misconfiguration granting agent access to sensitive data and public inputs
  • Prompt injection is a fundamental unsolvable flaw of LLMs, confirming the article's warning about agent attack surface
  • This is a marketing stunt dressing up an obvious LLM limitation as a novel vulnerability
  • ~Security should be enforced at the data/permission layer, not inside the LLM context
  • Corporate rush to bolt AI onto products inevitably produces these half-baked security failures