GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

Nature of the vulnerability

  • GitHub Agentic Workflows were configured to:
    • Read public issue titles/bodies.
    • Reply via public comments.
    • Have read access to other org repos, including private.
  • Attackers could inject instructions into public issues that caused the agent to read private repos and paste contents back as public comments.
  • Several commenters stress the key failure is a missing trust boundary between untrusted issue content and private-repo access.

Who is at fault?

  • One camp: this is primarily user misconfiguration.
    • Researchers explicitly granted the agent org-wide repo access and allowed it to process untrusted public issues.
    • Analogy: giving a CI job secrets and then running it on public PRs.
  • Other camp: this is a GitHub design flaw.
    • Reasonable users expect an agent in a public repo not to leak unrelated private repos.
    • Permissions are too coarse and GitHub doesn’t make safe configuration easy or obvious.

Prompt injection & (un)solvable guardrails

  • Many argue prompt injection is inherent to LLMs: user input is instructions, so there is no strong way to separate “code” from “data.”
  • Comparisons to SQL injection:
    • Similar in that untrusted input changes behavior.
    • But unlike SQL, there is no equivalent of prepared statements; guardrails are just more input text and can be overridden.
  • Some see it more like social engineering: you can only mitigate via process and access control, not “fix” the model.

Permissions, architecture, and mitigations

  • Widely shared view: the only real defenses are architectural:
    • Run agents with the same or stricter permissions than the prompting user; never with “root”/org-wide access.
    • Scope agents to a single repo or narrowly defined workflows; segment workflows with different tokens.
    • Restrict writes from agents handling public input, even if they can read private data.
    • Sandbox agents and give them their own credentials; treat them like untrusted users.
  • Some suggest better UIs for per-prompt/per-workflow permissions and more granular GitHub tokens.

Trust in GitHub, cloud, and AI integrations

  • Skepticism toward GitHub/Microsoft:
    • Perception of “AI everywhere” driven by investor pressure, leading to rushed, insecure features.
    • Concerns about private repo data feeding Copilot training unless opted out.
  • A visible subgroup advocates moving to self-hosted forges (Forgejo, Codeberg, bare git) to avoid AI integration and regain control.

Broader reflections

  • Several commenters see this as another example of weak security culture (“criminal negligence,” “YOLO” shipping).
  • Consensus themes:
    • LLMs should be treated as another UI layer, not a privileged backend.
    • You cannot rely on model-level guardrails; only hard security barriers and least-privilege design meaningfully reduce risk.