GitLost: How We Tricked GitHub's AI Agent Into Leaking Private Repositories
Noma Security introduces GitLost, an indirect prompt injection attack against GitHub Agentic Workflows that can coerce AI-powered GitHub agents into disclosing data from private repositories. By embedding malicious instructions inside a seemingly legitimate public GitHub issue, an attacker can exploit agents that have overly broad repository permissions, causing them to retrieve confidential files and publish them in public comments. The research demonstrates that prompt-based guardrails can be bypassed with minor linguistic changes, highlighting that the root cause is architectural rather than a simple implementation bug. The authors recommend enforcing least-privilege permissions, isolating agents that process untrusted content from those with access to sensitive repositories, limiting public output channels, and treating all externally supplied content as untrusted input.
https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos
Comments
Post a Comment