A public GitHub issue with a cleverly-worded sentence can trick an AI agent into revealing the contents of your private repository. This isn't just theoretical. Researchers at Noma Security demonstrated it against GitHub's own defenses with a minor tweak to their proof of concept.
What Happened
GitHub Agentic Workflows, which integrate AI assistants like GitHub Copilot, Anthropic's Claude, Google Gemini, or OpenAI Codex into CI/CD pipelines, have a vulnerability Noma Security calls "GitLost." The attack uses indirect prompt injection: an attacker posts a public issue with hidden instructions. When your AI agent processes that issue, it treats the attacker's instructions as valid commands and leaks private repository data.
The attack surface is larger than you might think. Any public issue your agent reads, whether it's handling bug reports, summarizing discussions, or analyzing feature requests, could be an injection point.
Which Controls Failed
Three layers of defense failed:
Input validation failed. AI agents execute instructions from untrusted sources without proper filtering. Your CI/CD pipeline should treat public issues like user-supplied input in a web application, as hostile until proven safe.
Least privilege wasn't enforced. If your AI agent can read private repositories and post data externally, it has too much access. The principle of least privilege (NIST 800-53 Rev 5, AC-6) means limiting each component to the minimum access needed.
Human oversight was bypassed. Automated agents making decisions about sensitive data without human review violate the separation of duties principle. If the agent can read private data and transmit it externally based on public instructions, you've created a privilege escalation risk.
The one-word bypass Noma demonstrated shows another failure: GitHub's defenses relied on pattern matching or keyword filtering instead of semantic analysis. Attackers don't need complex techniques, they just need to understand how the AI interprets context.
What Standards Require
OWASP ASVS v4.0.3, Section 5.2.1 mandates validating all untrusted input. AI agents processing public issues are handling untrusted input. You need input validation that recognizes prompt injection patterns, not just SQL injection or XSS.
NIST 800-53 Rev 5, AC-6 (Least Privilege) states: "Each process executes with the least privilege necessary to perform assigned functions." Your AI agent doesn't need write access to external systems if its job is to analyze issues. It doesn't need read access to all private repositories if it only works on public-facing documentation.
ISO/IEC 27001:2022, Annex A.9.2.3 covers management of privileged access rights. AI agents with repository access are privileged accounts. They need the same access reviews, logging, and monitoring you apply to service accounts and admin users.
SOC 2 Type II, CC6.1 requires logical access controls that restrict access to information assets. If your AI agent can read private code and write to external channels, you're failing this control unless you've implemented compensating controls like human approval workflows.
Lessons and Action Items
Audit your AI agent permissions today. List every AI tool connected to your repositories. Document what each agent can read and where it can write. If an agent has both read access to private data and write access to external systems, you have a GitLost-style risk.
Implement token scoping. GitHub's fine-grained personal access tokens let you limit what an agent can access. Create separate tokens for public and private repositories. Your issue-triaging agent shouldn't have the same permissions as your code review agent.
Add human checkpoints for sensitive operations. Configure your workflows so AI agents can suggest actions but not execute them. A human reviews the agent's recommendation before it touches private data or external systems. This breaks the automated attack chain.
Monitor for prompt injection patterns. Your security information and event management (SIEM) should flag when agents receive instructions that look like commands rather than normal issue text. Watch for phrases like "ignore previous instructions," "output the contents of," or "send this data to."
Test your agents with adversarial inputs. Don't wait for attackers to find your prompt injection vulnerabilities. Create test issues with embedded commands and verify your agents don't follow them. Include this in your CI/CD security testing alongside traditional penetration tests.
Review your incident response plan. If an attacker does exfiltrate private repository data through an AI agent, how quickly can you detect it? How do you revoke the compromised credentials? Who needs to be notified? Your IR plan probably doesn't cover AI-specific attack vectors yet.
The GitLost vulnerability isn't an AI problem, it's an access control problem that AI makes worse. You're connecting powerful automation to sensitive data without the same controls you'd apply to human users or traditional service accounts. Fix that gap before someone uses a public issue to walk out with your source code.



