A Hidden Command in a GitHub Issue Can Silently Steal a Company's Private Code
Researchers found a flaw in GitHub's AI automation tool that lets an outsider read an organisation's private repositories by hiding plain-English instructions inside a public bug report.

Key points
- Noma Security researchers disclosed the flaw, named "GitLost", on Tuesday after testing it with a working proof-of-concept attack.
- An attacker needs no account, password, or coding skills to exploit it, only the ability to open a public issue on GitHub.
- The attack targets GitHub Agentic Workflows, an AI-powered automation tool that can read across multiple code repositories inside a single organisation.
- GitHub told Noma it updated the documentation that created the vulnerability; the researchers confirmed it was no longer present at last check.
- Organisations using AI automation tools with broad internal access are advised to immediately restrict what those tools can read and share.
Researchers at Noma Security have found a way to trick GitHub's AI automation tool into handing over a company's private code and internal documents, without breaking into a single account or exploiting a software bug in the traditional sense.
The attack exploits something called prompt injection. That is where a criminal hides plain-English instructions inside content that an AI system reads, causing the AI to follow those instructions as if they came from its own operators. In this case, the content is a GitHub Issue, which is a public comment thread developers use to report bugs or request changes.
The vulnerable tool is GitHub Agentic Workflows, a product that pairs GitHub Actions (the platform's built-in system for automating coding tasks) with an AI assistant backed by either Anthropic's Claude or GitHub Copilot. Development teams use it to manage their code repositories through ordinary conversational language instead of writing manual scripts.
How did the attackers get in?
They didn't need to "get in" at all. That is what makes this unusual.
An outsider can open an issue on any public GitHub repository belonging to an organisation that uses this tool. Inside the issue body, they hide commands written in plain English. The AI agent reads the issue as part of its normal work, treats those hidden commands as legitimate instructions, and then quietly pulls information from the organisation's private repositories before posting it back as a public comment.
Noma's proof-of-concept successfully exposed details of an internal company meeting.
No password. No hacking. Just words in a text box.
"The agent's context window is also its attack surface," wrote Sasi Levi, security research lead at Noma, referring to the full body of text the AI can read at any one time. "Any content the agent reads can be weaponised if the agent treats that content as instructional input."
Noma disclosed the flaw responsibly to GitHub. GitHub said it updated the documentation that set up the vulnerable configuration, and Noma confirmed the specific example was no longer visible at the time of writing. Dark Reading first reported the details.
What should organisations do right now? Audit every AI workflow tool and strip it back to the minimum access it actually needs. An AI agent that manages issues in one repository has no business reading every private repository across the whole organisation. Isolate untrusted user content, anything the public can write, from the instructions that govern how the AI behaves. Treat them as two completely separate inputs, never mixed.



