A Hidden Note in a Bug Report Tricked GitHub's AI Into Leaking Company Secrets

Researchers showed how a single crafted message in a public GitHub issue could fool an AI assistant into reading private code and posting it online for anyone to see.

ThreatVectr Newsdesk· 3 min read
A close-up, sharply focused photograph of a glowing laptop screen in a darkened office, showing lines of green and white code reflecting faintly on a glass desk
Share

Key points

  • Noma Security published research in 2025 showing GitHub's preview AI agent feature can be tricked into leaking private repository contents through a manipulated public issue.
  • The attack, named GitLost, requires no stolen passwords, no malware, and no hacking of GitHub's servers.
  • An unauthenticated outsider, meaning someone with no GitHub account privileges at all, can trigger the leak simply by submitting a crafted public bug report.
  • GitHub's AI agent does not distinguish between a private and a public repository; it sees any accessible resource as fair game.
  • Researchers also found that GitHub's built-in safety filters could be bypassed with a minor rewording of the hidden instructions.

GitHub is the platform where millions of software developers store and share their code. Many companies keep sensitive projects locked away in private repositories there, the equivalent of a filing cabinet that only approved staff can open. GitHub recently introduced a preview feature called Agentic Workflows, which pairs an AI assistant with automated tasks so that developers can, for example, ask the AI to read a bug report and automatically update documentation.

That convenience introduced a new risk.

Security company Noma Security demonstrated an attack they call GitLost. It works like this: a complete outsider submits a public bug report, called a GitHub Issue, to any public project that uses the new AI workflow feature. Hidden inside that bug report are plain-English instructions telling the AI what to do next.

How did the hackers get in?

They did not break in at all, at least not in the traditional sense. The AI agent simply read the instructions embedded in the bug report and followed them, the same way it would follow a developer's legitimate request.

This kind of attack is called a prompt injection, where hidden commands inside ordinary-looking text hijack an AI system's behaviour. Because the AI treats all text it reads as potential instructions, it cannot tell the difference between a genuine task from a developer and a trap set by a stranger.

In Noma's demonstration, the AI retrieved a README file, a plain-text introduction document, from a private repository and posted its full contents in a publicly visible comment. Anyone on the internet could then read it.

Researcher Sasi Levi put it plainly: the AI became an unintended bridge between private internal data and the open internet.

Independent security researcher Vibhum Dubey, quoted in the original CSO Online report, highlighted why this goes beyond one AI assistant behaving badly. The real problem is architectural. The AI agent runs with broad service-account permissions, meaning it has access to far more data than any individual human user would normally see, and it has no built-in understanding that some of that data is meant to stay private.

"The agent doesn't 'know' a repository is private," Dubey said. "It just sees 'accessible'."

For organisations deploying AI tools in their software development pipelines, the practical fixes are straightforward. Give AI agents an explicit list of repositories they are allowed to touch, rather than broad access. Treat every piece of text an AI reads from the public, including bug reports and pull request descriptions, as untrusted input that needs checking before the AI acts on it. Keep a kill-switch ready so a misbehaving agent can be shut down immediately.

Noma stressed that this is not a flaw unique to GitHub. Any AI agent that can read untrusted public content and also access sensitive internal systems carries the same structural risk.

© 2026 Threat Vectr