GitLost Vulnerability Lets AI Leak Private Repos Via Public Issues
GitLost demonstrates that AI agents processing user-written text can be exploited to leak private data, a problem Noma Labs compares to SQL injection.
Reporting from 1 source: GIGAZINE.
Security firm Noma Labs has reported a vulnerability called GitLost that allows an AI agent to leak the contents of private GitHub repositories by posting them as comments on public Issues. The attack works by embedding malicious instructions in an Issue body, which the AI agent treats as commands. The vulnerability is a form of indirect prompt injection, and Noma Labs recommends restricting AI agent permissions and sanitizing user input.
The attack does not require the attacker to have credentials or direct access to the private repository. According to the Noma Labs report, the vulnerability arises from GitHub Agentic Workflows that process Issue bodies as instructions. The AI agent, triggered by an Issue assignment event, reads the Issue title and body and posts a reply comment. If the workflow has permissions to read both public and private repositories, an attacker can embed hidden instructions that cause the agent to retrieve and post private README.md content. Noma Labs found that the AI agent's defenses could be bypassed by varying phrasing, with a particular keyword altering behavior. The firm recommends treating user-controllable text as untrusted, minimizing AI agent permissions, and sanitizing input before passing it to the agent.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.