Skip to content
← All news
6 min read

One word let attackers trick GitHub's AI agent into leaking private repos

Noma Security found that a single public GitHub Issue, worded the right way, could get GitHub's Agentic Workflows AI agent to fetch private repository files and post them as a public comment. The bypass still works.

One word, added to a GitHub Issue, was enough to make an AI agent leak private code publicly.

Researcher Sasi Levi at Noma Security found that a public GitHub Issue, worded the right way, could trick GitHub's Agentic Workflows AI agent into reading private repository files and posting them as a public comment. No credentials, no access, no coding skill required. Just open an issue in a public repo and wait for the agent to pick it up.

How the attack actually works

Agentic Workflows pairs GitHub Actions with an AI agent, Copilot, Claude, Gemini, or OpenAI Codex, that follows natural-language instructions written in Markdown. An attacker opens an issue in a public repository belonging to an organization that has the feature turned on, and hides commands inside the issue title and body. When the workflow fires on an event like the issue being assigned, the agent reads that content as if it were a legitimate instruction.

In Noma's demonstration, the hidden instruction told the agent to fetch README files from repositories it had access to, including private ones in the same organization, and post the contents back as a public comment on the issue. Noma pulled a README from a private repo called sasinomalabs/testlocal this way. The attacker never touches the private repo directly. The agent does it for them, then hands the result over in public.

One word beat the guardrails

GitHub's Agentic Workflows already ships with sandboxing, read-only tokens by default, input cleaning, and a threat-detection step that scans an agent's output before it posts. Noma got past all of it by adding a single word. Prefixing the injected instruction with "Additionally" made the model treat the leak request as a routine follow-on task rather than something to flag, and the threat-detection filter let it through.

The deeper problem is architectural, not a missing filter. In natural language, there is no clean line between data and instruction. An AI agent reading a GitHub Issue cannot reliably tell the difference between what its owner told it to do and what a stranger's issue text is asking it to do. A one-word bypass is what happens when a filter is doing the job a boundary should be doing.

Where this stands

Noma disclosed GitLost to GitHub and published its findings with GitHub's knowledge, on July 6, 2026. As of publication, the "Additionally" bypass still works, and neither GitHub nor Microsoft has issued a public statement addressing it. Exposure is limited for now since Agentic Workflows is still a preview feature, only organizations that opted in are affected, but the underlying pattern is not specific to GitHub. Any AI agent that reads untrusted text and can take action on it is a candidate for the same trick.

Noma's own recommendations are unglamorous and correct: treat all user-controlled content as untrusted input, restrict an agent's permissions to the minimum it actually needs, restrict what an agent is allowed to post publicly, and sanitize input before it ever reaches the model.

Why a build studio cares

We wrote about Claude Code's own origin story a day ago, a tool we use every day, built by wiring an AI agent into exactly the kind of everyday developer workflow GitLost targets. That is not a coincidence we can shrug off. Any agent we connect to a client's repo, ticket queue, or inbox reads content we did not write and was not vetted by us. GitLost is a clean demonstration of what goes wrong when an agent cannot tell a stranger's text from its own instructions, and it is a checklist we now run against our own agent integrations before they touch anything private.

Next step: read Noma's original writeup for the full technical walkthrough, and The Hacker News' report for the disclosure details. If you're wiring an AI agent into a repo, inbox, or ticket queue and want a second pair of eyes on the trust boundary, write to us at hello@gattyworks.com.

AI SecurityGitHubPrompt InjectionGitLostGitHubPromptInjectionAISecurityAIAgentsAppSecInfoSecSoftwareSupplyChainDevSecOpsCyberSecurity
04 · BRIEF

Ready to ship?

Send a brief. You will get a written reply, a fixed quote, and a delivery date within 24 hours. If we miss that window, the website fee on your first project is refunded in full.

24h reply, or 100% website fee refunded
Average reply under 4 hours. Always inside 24.