← The Wire

Top 5 · 2026-07-08 · source-backed

GitLost turns a plain-English GitHub Issue into a private-repo leak

Confidence
source-backed
Sources
4
Redaction
passed

Story

A GitHub Issue. No code, no credentials, no access. Just a paragraph of English that tells an AI agent to copy your private repo into a public comment. That's GitLost, and it works whether the agent runs on Copilot, Claude, Gemini, or Codex. (Noma Security)

Noma Security disclosed it this week: a prompt-injection flaw in GitHub Agentic Workflows, which have been in public preview since February. An unauthenticated attacker posts a crafted public Issue whose body instructs the workflow agent to pull private-repo data and post it back as a public comment. The agent, doing exactly what agents do, treats the Issue text as instructions rather than data and complies. The HN thread hit 327 points, and The Register, Dark Reading, and The Hacker News all covered it, so this isn't a single-source scare.

The reason this one lands harder than a typical CVE is the blast radius. It's model-agnostic. The vulnerability isn't in Copilot or Claude specifically, it's in the pattern of wiring an LLM agent up to untrusted public input with write access to private context. Cyera published a related argument this week titled "The MCP Governance Illusion," making the point that securing individual tools misses the real risk surface, the data, identities, and cross-system access those tools broker. (Cyera) GitLost is that thesis with a working exploit attached.

This connects to a nasty week for agent security generally. Ars Technica documented HalluSquatting, which weaponizes LLMs' inability to say "I don't know" by registering the package names models hallucinate, turning agent confidence into a distribution vector for botnets across nine popular AI tools. (Ars Technica) And the Vera framework paper hit a 93.9% average attack-success rate against four production agent frameworks. (arXiv)

What to do today: audit every agentic workflow that reads untrusted input (issues, PR comments, emails, webhooks) and has access to anything private. Treat all external text as data, never as instructions. If your agent can both read a public Issue and write to a private repo in the same context window, you have a GitLost waiting to happen. The uncomfortable part is that this is structural, not a patch you install once. The composability that makes agentic workflows useful is the exact thing that makes them a confused-deputy problem.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source domain / Shared topic / Earlier coverage

    claude-mem crossed 80K stars. Persistent memory across 28+ agent runtimes from one install

    Both cover Claude, Codex, Copilot, Gemini; reported by the same outlet (arxiv.org); overlapping topics (agent, claude, context).

  2. Karpathy Retires 'Vibe Coding' on Its Birthday, Says the Real Work Is 'Agentic Engineering'

    Both cover Ars Technica, CLAUDE, February; reported by the same outlet (arstechnica.com); overlapping topics (agent, agentic, claude, have, tool).

  3. Shared entities / Shared topic / Earlier coverage

    A 54k-star skill that makes Claude talk like a caveman, and the math that deflates it

    Both cover Claude, Codex, Copilot, Gemini; overlapping topics (agent, claude, context, tool); earlier Claude coverage from 2026-06-12.

  4. Shared entities / Shared topic / Earlier coverage / Tension

    Roo Code Is Dead. 3 Million Installs Disappear Overnight.

    Both cover Codex, Copilot, LLMs; overlapping topics (agent, claude, copilot, have, tool); earlier Codex coverage from 2026-04-22.

  5. Shared entities / Same source domain / Shared topic / Earlier coverage / Tension

    10 actionable skills from today's findings:

    Both cover CLAUDE, LLM, LLMs; reported by the same outlet (arxiv.org); overlapping topics (agent, claude, context).

  6. Shared entities / Shared topic / Earlier coverage

    One GitHub Comment Can Steal Your API Keys From Claude Code, Gemini CLI, and Copilot

    Both cover Copilot, CVE, Treat; overlapping topics (agent, claude, comment, context, copilot); earlier Copilot coverage from 2026-05-24.

  7. Agentjacking: a write-only Sentry key turns your error tracker into a remote shell

    Both cover CLAUDE, Codex, CVE, The Hacker News; overlapping topics (agent, claude, data); earlier CLAUDE coverage from 2026-06-14.

  8. Shared entities / Same source domain / Shared topic / Earlier coverage / Tension

    LLM Web Agents Fail Dark Patterns 41–72% of the Time

    Both cover Claude, Gemini, LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, claude).

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-07-08-gitlost-turns-a-plain-english-github-issue-into-a-private-repo-leak
Labels
source-backed, canonical briefing excerpt