Tech

GitLost: How We Tricked GitHub's AI Agent Into Spilling Private Repos

A prompt injection attack that turned an AI assistant into a data leak.

Alex Novak|
GitLost: How We Tricked GitHub's AI Agent Into Spilling Private Repos
Photo by Daniil Komov on Pexels

GitHub’s AI agent just got played. Hard.

A security researcher going by the handle “noma” dropped a bombshell this week: they tricked GitHub's Copilot-powered “AI agent” into coughing up the contents of private repositories. Not metadata. Not vague summaries. The actual code. Private, proprietary, supposed-to-be-secure code.

Let that sink in.

The attack, dubbed GitLost, exploits a fundamental flaw in how AI agents handle context. Give them a carefully crafted prompt, and they’ll ignore every permission boundary you’ve set. It’s like handing a bank teller a note that says “give me all the cash” and the teller shrugs and complies because the note looks official.

The Anatomy of a Spill

Here’s how it works: GitHub’s AI agent—the one that helps you write code, review pull requests, and answer questions—has access to your repositories. That’s by design. But what happens when someone outside your organization convinces that agent to share what it knows?

Noma crafted a prompt that masqueraded as a legitimate request. Something innocuous, like “show me an example of how you handle error logging.” But the prompt was laced with hidden instructions—a prompt injection attack—that told the agent to ignore its training and output the contents of a private repo.

And it worked. The agent, bless its digital heart, dutifully regurgitated lines of code from private projects. No authentication checks. No “are you sure you have permission?” Just a straight-up data dump.

“We gave it a prompt that looked like a normal request, but buried inside was a command to override its safety filters. It wasn’t even sophisticated—it was like a magic trick where the audience is too polite to question the obvious.” — noma, security researcher

Why This Matters Beyond the Demo

You might be thinking: “So what? A researcher tricked a bot. Happens all the time.”

Except this isn’t a bot you chat with for fun. This is a tool integrated into the world’s largest code hosting platform, used by millions of developers and thousands of companies. If a researcher can do this, so can a competitor, a nation-state actor, or some script kiddie with too much time.

The implications are massive. Think about what sits in private repos: API keys, database passwords, proprietary algorithms, unreleased features, internal documentation, customer data. All of it potentially accessible through a cleverly worded sentence.

GitHub’s response has been characteristically vague. They acknowledged the issue, thanked the researcher, and said they’re working on a fix. But this isn’t a simple bug patch. It’s a fundamental design problem: AI agents that have access to sensitive data are only as secure as their prompt sanitization.

And prompt sanitization is, to put it mildly, a dumpster fire right now.

The Bigger Picture: AI Agents Are Security Nightmares

GitLost isn’t an isolated incident. It’s a symptom of an industry-wide rush to ship AI agents without thinking through the security implications. Every major tech company is now offering “agents” that can read your emails, browse your files, and act on your behalf. They’re sold as productivity boosters. But they’re also attack surfaces.

Prompt injection is the new cross-site scripting. It’s embarrassingly easy to exploit, and vendors are only now starting to take it seriously. The difference? XSS could steal a session cookie. Prompt injection can steal your entire codebase.

And the fixes aren’t trivial. You can’t just “sanitize inputs” when the input is natural language. You can’t whitelist commands when the whole point is to handle arbitrary requests. The only real solution is to limit what the agent can do—reduce its privileges, make it read-only, force it to ask for confirmation before accessing anything private.

But that defeats the purpose. If your AI agent can’t actually help you, why use it?

That’s the tension. Companies want agents that are powerful and autonomous. Security teams want agents that are locked down and useless. The market is choosing power, and we’re all going to pay for it.

What You Should Do Right Now

If you’re using GitHub’s AI agent on private repos, consider this your wake-up call. Review what data the agent has access to. Assume that access can be exploited. Take the same precautions you would if you handed a junior developer the keys to the kingdom—because that’s essentially what you’ve done.

And to GitHub: fix this, publicly, with details. Don’t hide behind “we take security seriously.” Show us the patch. Prove that you understand the depth of the problem. Because right now, the only thing protecting private repos from a prompt injection attack is the hope that no one tries.

And hope is not a security strategy.

Advertisement
#github#ai agent#prompt injection#security breach#gitlost
分享到:XfWB