
TL;DR
Security researchers discovered a prompt injection vulnerability in GitHub's Agentic Workflows that allows attackers to extract private repository contents through public issues.
Security researchers at Noma Labs disclosed a critical vulnerability in GitHub's Agentic Workflows feature that allows unauthenticated attackers to extract data from private repositories. The attack requires nothing more than posting a crafted GitHub Issue in any public repository within an organization.
GitLost is the name researchers gave to a prompt injection vulnerability affecting GitHub's new Agentic Workflows system. The core issue: insufficient trust boundary enforcement between untrusted user input and AI agent instructions.
When an organization enables Agentic Workflows with cross-repository access, the AI agent can read files from both public and private repositories. The problem is that the agent also processes the content of GitHub Issues - which anyone can create on public repos.
The attack chain is straightforward:
The researchers demonstrated successful extraction of README files and code from private repositories, with the agent dutifully posting the contents as public issue comments.
One detail from the disclosure stands out. GitHub appears to have implemented guardrails to prevent obvious prompt injection attempts. The researchers found that adding the word "Additionally" to their payload bypassed these protections, forcing the model to reframe output rather than refuse.
This highlights a fundamental problem with LLM guardrails - they are essentially more prompts, and prompts can be overridden with... more prompts.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jul 8, 2026 • 6 min read
Jul 7, 2026 • 6 min read
Jul 7, 2026 • 5 min read
Jul 7, 2026 • 7 min read
The Hacker News discussion (280+ comments at time of writing) is filled with developers debating whether this is a GitHub vulnerability or a user misconfiguration issue.
One commenter framed the core problem clearly:
"Who thought having a LLM with access to private information, with public access to ask it questions, would ever be a secure process?"
Several commenters pointed out this is analogous to setting up a CI job with access to secrets and running it on public PRs. If you configure GitHub to allow public code or LLM instructions to run in contexts with access to sensitive data, that data will leak.
The discussion around guardrails was particularly pointed:
"LLM guardrails are either just written prompts as in 'Please do not bad stuff :(' or other LLMs verifying that the first LLM didn't do some bs. Both methods do not work sufficiently as time shows again and again."
Another commenter offered a succinct take on the architectural issue:
"The answer is you should not allow LLMs access to untrusted input and sensitive data at the same time."
A few developers noted that the proper fix is for GitHub to prevent agentic workflows from executing in a public repo context if they also have private repo access. Several mentioned they're moving to self-hosted alternatives like Forgejo.
The SQL injection comparison came up repeatedly, with commenters pointing out a key difference: SQL injection is fully mitigated by prepared statements. There is no equivalent "prepared statement" solution for prompt injection.
Read the full thread at https://news.ycombinator.com/item?id=48827858.
This vulnerability illustrates what security researcher Simon Willison calls the "Lethal Trifecta" - the dangerous combination of:
Any two of these might be acceptable. All three together creates an exploitable system.
GitHub's Agentic Workflows shipped with all three by default. Organizations that enabled cross-repository access effectively gave every GitHub user on the internet a channel to query their private repositories.
The researchers and HN commenters suggest several mitigations:
For organizations using GitHub Agentic Workflows:
For anyone building AI agent systems:
For the industry:
This is not the first AI agent security incident, and it will not be the last. As one HN commenter noted, we are in "the wild west phase of agent usage."
The pattern is now well-established: a company ships an AI feature with broad permissions, researchers find a prompt injection path, the company patches that specific attack, and researchers find another. The underlying architecture - mixing untrusted input with trusted instructions in the same context window - remains unchanged.
Until the industry develops architectural solutions (not just guardrails) for separating instructions from data in LLM contexts, every agent system that processes untrusted input while holding sensitive permissions is a vulnerability waiting to be discovered.
Read next
Armin Ronacher's new essay explores the tension between letting AI agents loop autonomously and maintaining the engineering comprehension that makes software maintainable. The Hacker News discussion adds practical caveats worth reading.
9 min readFilippo Valsorda argues that LLMs have ended the era of treating security researchers with kid gloves. When anyone can discover vulnerabilities with an AI, the old coordinated disclosure model breaks down.
7 min readOak rethinks version control for agentic workflows with virtual mounts, faster snapshots, and lower VCS-related token overhead. Here's what the HN community thinks about this Show HN.
8 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
OpenAI's coding agent for terminal, cloud, IDE, GitHub, Slack, and Linear workflows. Reads repos, edits files, runs comm...
View ToolGives AI agents access to 250+ external tools (GitHub, Slack, Gmail, databases) with managed OAuth. Handles the auth and...
View ToolOpen-source cloud sandboxes for AI agents. Isolated environments that start in under 200ms, run code in Python, JavaScri...
View ToolThe TypeScript toolkit for building AI apps. Unified API across OpenAI, Anthropic, Google. Streaming, tool calling, stru...
View ToolSpec out AI agents, run them overnight, wake up to a verified GitHub repo.
View AppTurn a one-liner into a working Claude Code skill. From idea to installed in a minute.
View AppTurn any GitHub repo into a shareable PNG. README hero in one shot.
View AppConfigure Claude Code for maximum productivity -- CLAUDE.md, sub-agents, MCP servers, and autonomous workflows.
AI AgentsWhat MCP servers are, how they work, and how to build your own in 5 minutes.
AI AgentsA complete, citation-backed Claude Code course with setup, prompting systems, MCP, CI, security, cost controls, and capstone workflows.
ai-development
Build Anything with Vercel, the Agentic Infrastructure Stack Check out Vercel: https://vercel.plug.dev/cwBLgfW The video shows a behind-the-scenes walkthrough of how the creator rapidly builds and d

Check out Trae here! https://tinyurl.com/2f8rw4vm In this video, we dive into @Trae_ai a newly launched AI IDE packed with innovative features. I provide a comprehensive demonstration...

Boost Your Productivity with Augment Code's Remote Agent Feature Sign up: https://www.augment.new/ In this video, learn how to utilize Augment Code's new remote agent feature within your...

Flipper Devices announces their firmware hit 1.0 stability and outlines a new community contribution model - while HN de...

Cloudflare announces native support for the x402 HTTP payment protocol, letting developers charge for API calls and web...

A developer reverse-engineered Claude Code and found hidden markers that classify users by timezone, domain, and API key...

Semgrep's security research team benchmarked LLMs on IDOR vulnerability detection. The open-weight GLM 5.2 beat Claude C...

Filippo Valsorda argues that LLMs have ended the era of treating security researchers with kid gloves. When anyone can d...

Armin Ronacher's new essay explores the tension between letting AI agents loop autonomously and maintaining the engineer...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.