GitLost: How We Tricked GitHub's AI Agent into Leaking Private Repos
GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

I discovered a critical prompt injection vulnerability in GitHub Agentic Workflows called GitLost. By posting a crafted issue in a public repository, an unauthenticated attacker can silently trick the AI agent into reading and leaking private repository data. This attack bypasses security guardrails without requiring any coding skills or credentials, exposing a fundamental flaw in how agentic AI systems handle trust boundaries.
"Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications: a systematic, category-wide vulnerability class that requires the same systematic strategies and defenses."