GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
Summary
Hide ▲
Show ▼
GitHub Agentic Workflows has an indirect prompt injection flaw that can let a public issue leak content from private repositories into public comments. The risk is highest when an organization gives the agent broad read access across repos, because attacker-controlled text can steer the agent into exfiltrating data it can already read. In Noma Security's proof of concept, the workflow pulled a private repository's README and posted it publicly, and a one-word change, Additionally, bypassed GitHub's guardrail.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub npm GAT publish-token mitigation guidance
Advisory/Mitigation
H score25
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub npm GAT publish-token mitigation guidance
Advisory/MitigationAbout this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Timeline
-
07.07.2026 17:04 2 articles · 2d ago
Noma Security discloses GitLost prompt injection flaw in GitHub Agentic Workflows
Initial DisclosureNoma Security disclosed GitLost, an indirect prompt injection flaw in GitHub Agentic Workflows that can steer an agent with broad repository read access into copying private repository content into a public issue comment. The proof of concept showed a normal-looking public issue could exfiltrate a private repository's README, and a one-word prefix, "Additionally", was enough to bypass GitHub's guardrail.
Show sources
- Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data — thehackernews.com — 07.07.2026 17:04
- Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data — thehackernews.com — 07.07.2026 17:04