All notes

AI

Jul 8, 2026

GitHub Copilot Agent Manipulated into Leaking Private Repository Data

Security researchers at Noma tricked GitHub's AI agent into exfiltrating private repository contents, exposing an attack surface that grows with every agentic coding tool.

The Noma security team published a prompt injection attack against GitHub's AI agent that caused it to leak private repository data. The attack, dubbed GitLost, demonstrates a class of vulnerability that is not specific to GitHub — it applies to any agentic system that ingests untrusted content and acts on it with persistent credentials.

The core mechanics follow the standard indirect prompt injection pattern. The agent reads attacker-controlled content — a file, a comment, a README — embedded with instructions that override its intended behavior. Because the agent has access to private repository context and the user's authenticated session, those injected instructions can direct it to exfiltrate data the attacker would otherwise have no access to.

The implications for engineering teams are direct. If your organization uses GitHub Copilot in agent mode, any repository the agent can read becomes a potential exfiltration surface the moment it touches untrusted input. That includes pull requests from external contributors, third-party dependency files, and issue comments. The attack does not require the agent to have explicit write permissions to cause harm — read access plus an outbound channel is sufficient.

For solo founders and small teams shipping with agentic coding tools, the risk posture is worth revisiting now. Scoping agent permissions to the minimum required context reduces blast radius. Treating any externally-sourced content as potentially adversarial — not just executable code — is the operative mental model.

This research arrives as GitHub, Cursor, and similar tools push deeper into autonomous multi-step workflows. The capability surface expands faster than the security review cycle. Prompt injection against agents is not a theoretical concern; it is an active exploitation category with working proofs of concept in production-grade tools.

The full technical writeup is on the Noma Security blog.