→ Back to Home
GitHub Actions

New 'GitLost' Prompt Injection Exposes GitHub Agentic Workflows to Data Leakage

A new security disclosure, dubbed 'GitLost,' has revealed a critical prompt injection vulnerability impacting GitHub Agentic Workflows, which underpin advanced automation within GitHub Actions. This vulnerability, disclosed by Noma Labs, highlights how AI agents designed to automate tasks can be manipulated through untrusted public GitHub issue text to leak private repository data. The core issue arises when a publicly triggered workflow, with broad read access to an organization's private repositories, is permitted to publish output, such as comments, without sufficient human review or strict output controls. This development is highly significant for any organization utilizing or planning to adopt GitHub Agentic Workflows for tasks like issue triage, documentation updates, or CI failure analysis. The ability for an attacker to craft a malicious prompt within a public issue and have an AI agent inadvertently copy sensitive information from private repositories into a public comment poses a direct and severe data leakage risk. While GitHub's Agentic Workflows are designed to run with default read-only permissions and within sandboxed containers, the GitLost PoC demonstrates that the interplay of specific configuration choices can circumvent these safeguards. Practitioners must understand that the security posture is not solely dependent on GitHub's platform-level controls but also critically on how these powerful AI-driven workflows are configured and deployed. This incident fits into a broader, well-established trend in cloud and DevOps security, specifically concerning the emerging attack surface presented by AI-powered automation and 'agentic' systems. As AI agents gain more autonomy and access to sensitive environments, the risk of prompt injection and other forms of adversarial AI attacks becomes paramount. The industry has been grappling with securing CI/CD pipelines for years, and the introduction of AI agents into these pipelines adds a new layer of complexity. Traditional security models, focused on code and infrastructure, must now extend to encompass the 'intent' and 'context' of AI agents. This vulnerability underscores the need for robust input validation, stringent access controls, and careful output sanitization, especially when AI agents bridge public and private data domains. The lessons learned from securing traditional CI/CD, such as least privilege and environment separation, are now being re-applied and extended to the AI agent paradigm. In practice, organizations should immediately audit their GitHub Agentic Workflows. Key actions include: first, identifying any workflows triggered by public inputs (like issue comments) that also have read access to private repositories. Second, verifying that all workflows with private repository access enforce strict human approval gates before publishing any output to public channels. Third, reviewing the scope of GitHub App tokens used by these workflows to ensure they adhere to the principle of least privilege. Finally, implementing monitoring and alerting for unusual activity in public comments or workflow logs that might indicate data exfiltration attempts (e.g., private repository names, internal project terms, or large blocks of copied text). The disclosure emphasizes that a prompt rule telling a model not to reveal private data is insufficient if the workflow grants the model private read access and a public write tool. The onus is on developers and security teams to configure these powerful tools responsibly, treating prompt injection as a configuration risk that requires immediate attention.
#github actions#security#ai agents#prompt injection#devops security#agentic workflows
Read original source