GitLost: How We Tricked GitHub's AI Agent Into Leaking Private Repositories

Noma Security introduces GitLost, an indirect prompt injection attack against GitHub Agentic Workflows that can coerce AI-powered GitHub agents into disclosing data from private repositories. By embedding malicious instructions inside a seemingly legitimate public GitHub issue, an attacker can exploit agents that have overly broad repository permissions, causing them to retrieve confidential files and publish them in public comments. The research demonstrates that prompt-based guardrails can be bypassed with minor linguistic changes, highlighting that the root cause is architectural rather than a simple implementation bug. The authors recommend enforcing least-privilege permissions, isolating agents that process untrusted content from those with access to sensitive repositories, limiting public output channels, and treating all externally supplied content as untrusted input. 

https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos

Comments

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

SecObserve: Simplified Vulnerability and License Management for CI/CD Pipelines

OWASP ZAP 2.16.0 Introduces Key Updates and Enhancements