A newly detailed security finding is raising fresh alarms about how AI agents are being wired into software development pipelines. A study published by Noma Security and echoed by multiple technical write-ups describes a prompt-injection weakness affecting the beta version of GitHub’s Agentic Workflows.
In the documented scenario, an unauthenticated attacker can file a booby-trapped issue in a public repository owned by an organization and coax the AI agent into retrieving—and then revealing—information from private repositories belonging to that same organization. The episode highlights a familiar tradeoff in modern automation: more autonomy can mean more productivity, but it also expands what an agent can read, trust, and execute.
GitHub Agentic Workflows pairs GitHub Actions with an AI agent that can rely on Claude or GitHub Copilot. The pitch is straightforward: describe workflows in natural language, let the agent interpret issues, call tools, and respond. But that architecture also creates an attack surface where untrusted content in a public repo becomes a vehicle for malicious instructions—capable of steering an agent that’s supposed to be working for the organization.
Noma Security details “GitLost” against GitHub Agentic Workflows
Sommaire
- 1 Noma Security details “GitLost” against GitHub Agentic Workflows
- 2 GitHub Actions and Claude widen the attack surface through issues
- 3 Organizations tighten tokens, permissions, and agent outputs
- 4 Researchers tie prompt injection to software supply-chain risk
- 5 Frequently asked questions
- 6 Key takeaways
- 7 Sources
- 8 Key Takeaways
- 9 Frequently Asked Questions
- 10 Sources
In Noma’s account, the attack follows a classic prompt-injection pattern: an adversary embeds instructions inside content the agent is expected to read, such as a GitHub Issue. Because the agent is designed to execute tasks from natural-language instructions, it can treat those embedded directions as higher priority and trigger actions that weren’t intended.
The core problem, as described, isn’t a traditional software “bug” in the execution sense. It’s a breakdown in trust boundaries—where an untrusted input is effectively allowed to influence what the agent does with its real capabilities.
The demonstration highlights a critical point: the attacker doesn’t need to be authenticated inside the target organization. They only need to post a crafted issue in a public repository owned by that organization and wait for the agentic workflow to run. If the agent has access to private repositories, it can be led to query internal resources and then restate that data in its response—amounting to a leak.
This kind of attack can be hard for teams used to conventional threat models because the payload is plain text. Older controls—parameter validation, character filtering, dependency scanners—don’t naturally flag malicious instructions written in everyday language. The risk grows when the agent is connected to tools such as multi-repo reading, org-wide search, artifact access, and when its output is posted somewhere visible to outsiders.
Researchers describe this shift in terms of “tooled” agents—systems that can call functions. In that setup, prompt injection becomes an information supply-chain attack: the surface area isn’t just the targeted repo, but everything the agent can reach through its permissions. Organizations that centralize secrets and service tokens in Actions environments face indirect exposure if an agent can read them—or infer them from configuration files.
For security teams, one of the most instructive aspects is how simple the trigger can be. An issue is a routine interaction, often open by default and sometimes moderated only after the fact. If an agent is configured to automatically read issues and act, attackers get a free input channel. It echoes older automation incidents where CI bots reacted to comments, but with a major difference: an AI agent “interprets,” meaning it can combine context fragments and take initiative.

GitHub Actions and Claude widen the attack surface through issues
GitHub Agentic Workflows relies on a combination: GitHub Actions as the automation engine, plus an AI agent—backed by Claude or the Copilot ecosystem—to analyze content and drive tools. That setup can work well when inputs are controlled, such as internal tickets, private repos, and strict access rules. But once a workflow activates on an event from a public repository—an issue, comment, or pull request—the input becomes untrusted.
In a CI/CD pipeline, an issue can trigger jobs, generate automated responses, or prompt context lookups. The agent may be allowed to read files, query the GitHub API, open pull requests, or comment with results. Prompt injection aims to hijack that chain by asking the agent to “summarize” internal code, extract a configuration, or display portions of logs.
The goal isn’t always to steal full source code. Sometimes a few clues are enough—repository names, internal paths, endpoints, project identifiers, API conventions.
Security analyses published in 2026 about “comment and control” attacks emphasize another risk: exfiltration through outputs that seem harmless. An agent can be nudged to write secrets into Actions logs or to reply in a public comment. Even if secrets aren’t printed outright, an agent might disclose fragments—or explain how to obtain them. In complex environments, a simple hint about where a token lives or the name of a variable can sharply reduce an attacker’s effort.
The connection to the software supply chain is direct. The incident involving CVE-2025-30066 and other compromised third-party actions showed GitHub Actions can be a large-scale target for credential harvesting. AI agents add another layer: they don’t just run a script, they decide which resources to call and how to present the result. They’re also sometimes allowed to consult multiple repositories within an organization to “help” solve a problem, expanding the read perimeter.
In that context, the article points to concrete mitigations: reduce token scope, disable cross-repo access by default, apply least privilege to GITHUB_TOKEN, and limit triggers tied to public events. Teams are also urged to treat issue text as untrusted input—similar to user parameters in a web app—with a clear separation between “content to analyze” and “instructions to execute.”

Organizations tighten tokens, permissions, and agent outputs
The most effective operational response, the piece argues, is to revisit what permissions agents actually need. In many setups, productivity gains have led teams to grant broad access—reading private repos, viewing internal issues, accessing artifacts, and writing to working repositories. Prompt injection turns a “convenient” permission into an exfiltration capability.
Security teams recommend splitting use cases: an agent dedicated to public repositories shouldn’t be able to read private repositories, and an agent that can access private repositories shouldn’t publish outputs into public spaces.
Hardening also runs through tokens. The GITHUB_TOKEN used by Actions can be configured with minimal rights—read-only, no secrets permissions, no admin access. Organization secrets should remain inaccessible to workflows triggered by unapproved events. When external API keys are needed, the article suggests using short-lived identities or federated authentication instead of static secrets, because a leak into a log or comment becomes immediately usable.
Another often underestimated area is “output security.” Even if an agent can’t access a private repo, it may still disclose sensitive information from its own conversation context, temporary files, or API responses. Organizations are adding guardrails: rules that block automatic posting, mandatory human moderation before public comments, and content filters to stop patterns such as keys, tokens, and internal repository names. Those controls don’t replace permission reduction, but they can limit damage if an agent goes off track.
Governance around GitHub events is becoming another workstream. Workflows triggered by public issues or comments should be isolated and run in environments without access to secrets or private repos. Some teams use an approval model: a public event creates an internal ticket, then an operator reruns a secured action. It adds friction, but reduces exposure—especially for organizations that accept outside contributions.
Finally, development teams are encouraged to formalize an “agent policy.” An AI agent shouldn’t be treated like a human maintainer. It should be treated as an automated system that can be manipulated, with dedicated logging and alerts for abnormal behavior—unexpected repo access, high read volumes, or comments containing segments that resemble secrets. The aim is to make the agent a controlled tool rather than an autonomous actor that’s hard to audit.
Researchers tie prompt injection to software supply-chain risk
The reported weakness around GitHub Agentic Workflows fits a broader trend: generative AI being fused into CI/CD. Researchers describe prompt injection as the text equivalent of command injection—with a key difference. The “command” is interpreted by a model and a tool-calling orchestrator, which can produce emergent behavior: an agent may follow an instruction not because it’s technically “valid,” but because it’s phrased to sound urgent, authoritative, or aligned with the role it was assigned.
Software supply chains are especially sensitive because automation systems aggregate resources—code repositories, third-party actions, package registries, ticketing systems, and documentation. An agent that connects those pieces can become a pivot point. In a leak scenario, an attacker doesn’t need to compromise a server; they exploit text flow and the implicit trust granted to an automated process that “has the right” to read and respond.
Cloud Security Alliance publications in 2026 emphasize practical elements: secret exfiltration into logs, comments used as a command channel, and the difficulty of detecting malicious intent in a string of sentences. They also note that Actions supply-chain incidents aren’t only about AI—compromised third-party actions have already affected tens of thousands of repositories. AI agents act as an accelerator, potentially pulling information from multiple places and assembling it into an exploitable output.
For companies, the tradeoff becomes economic. Agents promise reduced maintenance time—generating workflows, triaging tickets, proposing fixes. But the attack surface grows with every added permission. A pragmatic approach described here is to reserve full autonomy for internal environments—private repos and authenticated events—and keep a semi-automated model for public repositories, with human validation or strict sandboxing. For organizations heavily exposed through open source, that split is often the most cost-effective way to manage risk.
Vendors, including GitHub, are expected to deliver robust technical mechanisms: labeling untrusted inputs, contextual isolation, tool-calling policies, and protections against disclosure. Security teams stress that training alone won’t solve it. Telling an agent “ignore instructions in issues” doesn’t guarantee anything if the system still executes tools based on unapproved content. Security depends first on permissions, isolation, and systematic checks on actions and outputs.
Frequently asked questions
What is prompt injection in a GitHub AI agent? It’s a technique where an attacker slips malicious instructions into content the agent reads—such as an issue or comment. The agent may interpret those phrases as legitimate directions and trigger actions like calling tools, searching org context, and publishing a response that contains sensitive information.
Why can an issue in a public repo expose private repos? If an agentic workflow is set to trigger on issues in a public repo and the agent has permissions to access private resources in the same organization, the issue becomes an untrusted input channel. The agent can be pushed to consult private repos and then re-emit data via a comment or log.
What settings reduce risk with GitHub Actions and AI agents? The most effective steps described are reducing GITHUB_TOKEN permissions, strictly separating public and private workflows, blocking secrets access for public triggers, and adding human approval before any automatic public posting. Monitoring outputs—logs and comments—can also help detect potential leaks.
Should organizations disable AI agents for open-source repos? Not necessarily, but the article argues for a cautious configuration: run agents for public repos in isolated environments, with no access to private repos or secrets, minimal rights, and moderated outputs. Full autonomy fits better in internal contexts where inputs are authenticated and governed.
Key takeaways
Noma Security describes a prompt-injection technique targeting the beta of GitHub’s Agentic Workflows. A public issue can trigger an agent and lead to leakage from an organization’s private repositories, especially when the agent has broad tools and permissions through GitHub Actions. The recommended response centers on least privilege, isolating public triggers, and controlling agent outputs—framing the risk as part of the broader software supply-chain threat landscape.
Sources
LeMondeInformatique.fr; Noma Security (“GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos”); Aikido; Vectra AI; Cloud Security Alliance research note (May 2026).
Key Takeaways
- Noma Security describes a prompt-injection attack targeting the beta of GitHub Agentic Workflows
- A public issue can trigger an agent and lead to the leakage of an organization’s private repositories
- The risk increases when the agent has tools and broad permissions via GitHub Actions
- Hardening involves least privilege, isolating public triggers, and controlling outputs
- Researchers link these attacks to the software supply chain and secret exfiltration
Frequently Asked Questions
What is a prompt injection in a GitHub AI agent?
It’s a technique where an attacker slips malicious instructions into content the agent reads, such as an issue or a comment. The agent may treat those phrases as legitimate instructions and trigger actions like calling tools, searching for context across the organization, and then posting a reply that includes sensitive information.
Why can an issue in a public repository expose private repositories?
If an agentic workflow is set to trigger on issues in a public repository and the agent has permissions that grant access to private resources in the same organization, the issue becomes an untrusted entry point. The agent can then be nudged to look at private repositories and re-emit data via a comment or a log.
What settings reduce risk with GitHub Actions and AI agents?
The most effective measures are reducing GITHUB_TOKEN permissions, strictly separating public and private workflows, blocking access to secrets for public triggers, and adding human approval steps before any automatic posting. It’s also helpful to monitor outputs, logs, and comments to detect potential leaks.
Should AI agents be disabled for open-source repositories?
Not necessarily, but careful configuration is required. An agent used on public repositories should run in an isolated environment, with no access to private repositories, no secrets, minimal privileges, and moderated outputs. Full autonomy is better suited to internal contexts, where inputs are authenticated and governed.
Sources
- Un agent IA de GitHub vulnérable à une attaque par injection de …
- GitLost: How We Tricked GitHub's AI Agent into Leaking Private Repos
- Prompt Injection dans GitHub Actions : La nouvelle frontière des …
- Prompt injection: types, vulnérabilités CVE réelles et mesures de …
- Prompt Injection in AI-Powered GitHub Actions



