A researcher didn't need to write a single line of exploit code to pull private source out of GitHub's new Agentic Workflows features. Noma Labs got there with a fake sales inquiry. The team opened a public GitHub issue posing as a "VP of Sales" following up after a customer call, buried a plain-English instruction inside it, and watched an AI agent connected to GitHub's Agentic Workflows feature fetch a private repository's README and post it in a public comment for anyone to read. GitHub has not shipped a fix because there isn't a direct patch or a substantially meaningful fix. This is about the underlying architecture of how these systems generally work and the weaknesses of the current guardrails.
The significance in GitLost, the term Noma chose for this Indirect prompt injection AI subversion technique, isn't the specific bug: it's what GitLost makes clear about how one-way agentic AI can actually fail. For years, the prompt-injection conversation has centered on manipulated outputs: can an attacker make a bot say something false or offensive? GitLost shows that more damaging failures are possible. Which is that once an agent carries real permissions into real "agency," prompt injection stops being a content problem and becomes an authorization and permissions problem, and that spells bigger trouble.
Sasi Levi, the Noma researcher behind the disclosure, breaks GitLost down into three ingredients: an agent that can access private data, an agent that reads content from outside its trust boundary, and an agent that can send information back out. Levi argues that this combination isn't a GitHub-specific quirk — it's the default shape of agentic deployments spreading across engineering teams right now. "GitLost is not a niche GitHub issue," Levi said. "It exposes a pattern already common in the wild" — autonomous agents with access to private data, exposure to untrusted content, and permission to communicate outward. "That is the recipe for AI-driven data exfiltration." Strip away the GitHub branding, and that recipe describes half the internal AI chatbots and ticket-triage assistants going into production this year.
What indirect prompt injection demands from defenders
Prompt injection used to be about words; now it's about actions. "Earlier prompt injection examples were largely about manipulating what an agent said," Levi told CYBR.SEC.Media. "GitLost is about manipulating what an agent does with its permissions." The operational consequence, in Levi's framing, is a wholesale shift in what defenders should be asking. "GitLost forces a mindset change for any defender still asking, 'Can the attacker influence the answer?' to 'Can the attacker influence an authorized action?'" Once an agent holds permissions, prompt injection is no longer a filtering problem. It's an access-control problem, and it demands the same discipline: mapping and controlling the entire route from untrusted input, through whatever privileged tool access the agent has, to whatever output channel lets it talk to the outside world.
That's not a light lift.
The fixes Noma recommends read like essential access and content control hygiene, applied to a new set of conditions. Never let user-submitted content, such as issues, comments, or tickets, serve as instructions to the model; treat it strictly as data. Keep agent permissions as narrow as the task requires, as any agent that can access more than one repository becomes a target worth attacking. Lock down what an agent is permitted to post publicly, particularly when that output is triggered by untrusted input. And separate that input from the model's instruction context before it's processed. The context may be new AI use cases. Still, the fixes are segmentation and least privilege concepts teams should have applied to service accounts for years, now retrofitted for software that understands context and carries more agency than a typical API call."
Levi said GitLost is evidence that a known weakness moved from theory to a live workflow: agents can be talked into using legitimate permissions to move data to an illegitimate destination. "GitLost is a new exploit path, not a new class of bug," Levi said. "The class was already known... What GitLost shows is that this is no longer theoretical in developer workflows." GitHub can maybe get new guardrails in place to close this particular gap. But the underlying pattern that an agent that reads hostile text, touches private data, and can speak outward isn't something a patch fixes.
Organizations need to treat agentic permissions with the same, or even more, suspicion than older types of privileged accounts.