Agents
GitLost: prompt injection in GitHub Agentic Workflows leaks private repos with zero credentials (CVE-2026-44246)
Noma Security disclosed on July 6 that an unauthenticated attacker can post a crafted issue on a public org repo and get the AI agent (Claude or Copilot) to exfiltrate a private repo's README into a public comment — no code, just English hidden in plausible corporate text, using an 'Additionally' prefix to bypass guardrails. The agent triggers on issues.assigned, reads the issue, and responds via add-comment while holding read access to other org repos. The HN thread hit 174 points, splitting on misconfiguration vs. systemic agent risk; the root cause is CWE-1427 (untrusted issue text treated as instructions), the same class as the tj-actions and GhostAction supply-chain attacks.
↳ Follow the thread