GitHub's AI coding agent has a prompt injection flaw that lets attackers steal private repository data with nothing but a crafted issue ticket.
Noma Labs researchers discovered the vulnerability, which they named GitLost. The attack works by submitting a specially worded GitHub issue that manipulates the AI agent into leaking private repos it has access to. No exploit code is required — plain English is enough. As of publication, GitHub has not shipped a fix or even added documentation acknowledging the problem.
The finding matters because GitHub's AI agent operates with access to private code by design — that's the point of an AI coding assistant. An attacker who can redirect that access through a social-engineering prompt doesn't need to breach GitHub's infrastructure at all; they just need to open an issue.
Prompt injection attacks against AI agents are not new — researchers have demonstrated similar techniques against other AI-integrated tools — but GitLost is a clean example of why bolting an autonomous agent onto sensitive data before the security model is settled is a risky order of operations.