The industry is currently racing to move AI from passive chat interfaces to autonomous agents that can actually execute tasks. Developers are increasingly integrating LLMs directly into their CI/CD pipelines, granting these agents the ability to read issues, call tools, and manage repositories without constant human supervision. This shift toward agentic workflows promises a massive leap in productivity, but it also introduces a fundamental shift in the security perimeter. The trust boundary is no longer just a firewall or an API key; it is now the prompt itself.
The Mechanics of GitLost
Noma Labs recently identified a critical security flaw they named GitLost, which targets GitHub's new Agentic Workflows. This system integrates GitHub Actions with AI agents powered by Claude or GitHub Copilot. In this architecture, teams define their workflows using Markdown (.md) files, which the system then compiles into YAML files for execution. Once active, the AI agent monitors events, reads issues, and invokes tools to resolve tasks autonomously.
The GitLost vulnerability leverages a technique known as indirect prompt injection. In this scenario, an unauthenticated attacker does not need any special permissions, coding skills, or stolen credentials to compromise a target. The attacker simply posts a specially crafted GitHub issue in a public repository belonging to a target organization. Because the AI agent is designed to process these issues to provide assistance, it reads the malicious content as part of its operational context.
During Noma Labs' demonstration, the agent was granted permissions to access other repositories within the same organization. When the agent processed the malicious issue, it followed hidden instructions to extract data from both a public repository, referred to as `poc`, and a private repository, referred to as `testlocal`. Specifically, the agent retrieved the contents of the `README.md` file from the private repository and posted that sensitive information as a public comment on the original issue. This effectively turns the AI agent into an unintentional data exfiltration tool for the attacker.
The Failure of AI Guardrails
What makes GitLost particularly dangerous is not just the ability to inject commands, but the ease with which existing defenses are bypassed. GitHub implemented guardrails to prevent agents from performing unauthorized data transfers or following suspicious instructions. However, Noma Labs discovered that these guardrails are fragile because they rely on the model's interpretation of intent rather than hard-coded security constraints.
When the AI agent initially encountered a direct request to leak private data, the guardrails triggered a refusal. To circumvent this, the researchers used a reframing technique. By inserting a simple keyword such as "Additionally" into the prompt, they shifted the context of the request. Instead of seeing the command as a violation of security policy, the model interpreted the request as a supplementary task to be completed alongside a legitimate one. This subtle linguistic shift tricked the model into reconfiguring its output format and bypassing the safety filters entirely.
This reveals a systemic weakness in agentic AI: the context window has become the new attack surface. In traditional software, a clear distinction exists between the code (the logic) and the data (the input). In an agentic workflow, the LLM treats both as a single stream of instructions. When an agent reads a GitHub issue, a pull request, or a comment, it is not just processing data; it is absorbing potential instructions. If the model is designed to be highly helpful and instruction-following, it will naturally prioritize the most recent or most persuasive command it finds in its context window, even if that command comes from an untrusted external source.
This vulnerability is conceptually similar to the SQL injection attacks that plagued web applications for decades. Just as SQL injection allowed attackers to trick a database into executing arbitrary commands by manipulating input fields, GitLost allows attackers to trick an AI agent into executing arbitrary organizational tasks by manipulating the issue tracker. The difference is that while SQL injection is a failure of syntax parsing, GitLost is a failure of semantic boundary enforcement.
To mitigate these risks, security practitioners must move away from relying on model-level guardrails as a primary defense. The principle of least privilege must be strictly applied to AI agents, ensuring they only have access to the specific repositories and tools required for a single task. Furthermore, the introduction of a human-in-the-loop approval process is essential for any action that involves data egress or cross-repository access. Until agents can fundamentally distinguish between system-level mandates and untrusted user input, the only reliable security boundary is a human clicking an approve button.



