GitHub AI agent leaks private repositories via prompt injection attack
Summary
Researchers have discovered a prompt injection vulnerability in GitHub's preview Agentic Workflows, dubbed GitLost, that allows unauthenticated attackers to extract and publicly expose sensitive data from private repositories. The attack exploits the AI agent's tendency to interpret malicious instructions within a public GitHub issue as legitimate commands, leading it to access and leak private repository contents.
IFF Assessment
This vulnerability allows attackers to steal sensitive code and information from private repositories, posing a significant risk to organizations utilizing AI agents with privileged access.
Defender Context
This discovery highlights a critical emerging threat vector in AI-assisted development environments where AI agents with broad access can be manipulated. Defenders should be wary of prompt injection attacks against any AI-powered tools, especially those integrated with sensitive code repositories, and implement strict input validation and access controls.