GitLost tricks GitHub's AI agent into leaking private repos
Noma Labs researchers filed an ordinary looking issue in a public repository and let the automation do the rest. GitHub Agentic Workflows pairs Actions with an agent backed by Claude or Copilot, and when a workflow picked the issue up, the agent read plain English instructions hidden in the body, fetched a README from a private repository in the same organization, and posted the contents as a public comment.
No credentials, no exploit code, no access beyond the ability to open an issue; The Register's write-up says the agent leaked when asked nicely. Noma disclosed to GitHub before publishing, and its advice is old trade wisdom: treat user controlled text as water, never as instructions, and scope every fitting to the minimum flow it needs.
How the leak travels
Five fittings, one bad joint: the agent treats the issue body as instructions, so the last station empties the tank onto the street.