| GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos(noma.security) | |
| 522 points by ColinEberhardt 1 day ago | 196 comments | |
tl;dr: Noma Labs found a prompt injection flaw ("GitLost") in GitHub's new Agentic Workflows: an attacker can file a GitHub Issue in a public repo containing hidden instructions, which the AI agent obediently executes—including reading private repos in the same org and posting their contents as a public comment. GitHub's guardrails were bypassed by prepending "Additionally" to the injected commands, causing the model to reframe rather than refuse the request. The vulnerability was responsibly disclosed and highlights that any content an agent reads becomes part of its attack surface. | |
HN Discussion:
| |