
How the GitLost Attack Works
Security researchers at noma.security have published details of a vulnerability they've named GitLost, which demonstrates how GitHub's AI-powered coding agent can be manipulated into disclosing sensitive code from private repositories. The attack hinges on the AI agent's context window—the ability to consider files currently open in a developer's editor, including those from repositories the user has access to. By carefully constructing a prompt that instructs the agent to "summarize" or "explain" code while referencing specific file paths or commit histories, a malicious actor with access to a project (even a low-level collaborator) could coax the agent into regurgitating code blocks that contain credentials, proprietary algorithms, or other confidential data.
According to the research paper published by noma.security, the engineering team tested multiple prompt injection techniques against GitHub's agentic workflow, which automatically fetches relevant context from the repository to answer developer queries. They found that by referencing a file known to exist only in a private repo—such as a configuration file containing database passwords—and asking the AI to "improve the following code" while pasting a snippet indicative of that file, the agent occasionally returned the full file contents. This class of indirect prompt injection bypasses access controls because the AI system operates with the privileges of its user, yet its training data and context-assembly mechanisms can inadvertently leak information across permission boundaries.
Scope of the Exposure
The vulnerability affects GitHub's AI agent functionality integrated into the Copilot ecosystem, specifically in scenarios where the agent processes code across multiple repositories or when a user's session includes tokens that grant read access to private repos. noma.security's proof of concept demonstrated that even a guest contributor with limited code review permissions could extract entire source files from the organization's private repositories by exploiting the agent's tendency to provide context-heavy responses. In one test, the researchers retrieved a complete signing key that had been committed—though never merged—to a private branch, simply by prompting the agent to "show the full diff for the latest commit on feature/auth."

The timing is particularly concerning given GitHub's announcement of 150 million developers on its platform and the widespread adoption of Copilot across enterprises. While GitHub has stated that no customer data was actually exfiltrated in a confirmed breach, the mere existence of the vector poses a significant risk for organizations that rely on untrusted collaborators or open internal projects to external contributors. The noma.security team noted that the attack did not require any exploit of underlying infrastructure; it leveraged the intended behavior of the AI agent, which is designed to be helpful and context-aware, making detection via traditional access logs difficult.
GitHub's Response and Mitigations
In response to the privately reported findings, GitHub moved quickly to harden the AI agent's context retrieval logic. According to the disclosure timeline, noma.security first contacted GitHub on March 10, 2025, and the platform deployed several mitigations by early April. Key fixes include stricter sanitization of repository paths in AI-generated responses, explicit checks that prevent the agent from citing files from repos the user should not access within the current session, and a new rate-limiting mechanism that triggers when the agent is asked to reference many distinct file paths in a short period—a common pattern in probing attacks.
Additionally, GitHub updated its documentation to emphasize that AI-generated suggestions may inadvertently surface sensitive data if developers commit secrets or leave unmerged branches accessible. The company recommends using its secret scanning and push protection features to prevent credentials from entering repositories in the first place. While the immediate vulnerability has been addressed, security experts warn that the root cause—the difficulty of fully isolating memory and context across different permission domains within a single AI session—remains an ongoing area of concern for all AI-augmented development tools.
Broader Implications for AI-Assisted Development

The GitLost disclosure arrives at a moment when AI coding agents are becoming deeply integrated into software pipelines, moving beyond simple autocomplete to entire codebase refactoring and issue resolution. Tools like GitHub Copilot, Amazon CodeWhisperer, and Cursor all operate with broad file access to provide contextual assistance. noma.security's research underscores a fundamental tension: the more helpful an AI agent is by pulling in relevant snippets from across a project, the greater the surface area for unintended data leaks. This tension will only intensify as agentic systems evolve to autonomously navigate multiple repositories and pull in external dependencies.
For enterprise CISOs, the episode serves as a reminder that existing access controls for human developers do not neatly map onto AI behavior. A developer might legitimately have access to two private repositories, but the AI agent's ability to blend information from both when answering a query could create a channel for cross-repo contamination. As regulatory frameworks like the EU AI Act begin to take effect, AI tool providers will likely face pressure to implement more granular, auditable permission scopes that explicitly govern what data an LLM can recall or recombine. Short-term workarounds include segmenting sensitive projects and disabling AI features for repositories holding high-value intellectual property until more transparent isolation guarantees are available.
What Developers Should Watch For
Based on our analysis of the incident, the immediate takeaway for development teams is to audit who has even minimal access to private repositories and to treat AI agents as potential insider threats when access controls are shared. The noma.security team recommended that organizations adopt a least-privilege approach for service accounts and bots that integrate with AI coding tools, and to run periodic tests using prompt injection scripts to gauge whether internal safeguards are functioning correctly. Meanwhile, the episode is likely to accelerate the creation of standardized red-teaming frameworks for AI assistants in code environments, similar to how the OWASP Top 10 for LLMs has evolved.
GitHub has not publicly released a detailed technical post-mortem, but the rapid response and the security research community's attention to the issue will almost certainly lead to whitepapers and tooling that help other platforms learn from this incident. As AI agents become more autonomous—handling pull request reviews, generating entire features, and even deploying to production on behalf of developers—the lessons from GitLost will be vital in ensuring that such power does not come at the cost of compromised confidentiality. For now, the story serves as a controlled demonstration of what many in the security community already feared: AI agents can inadvertently become the perfect mechanism for exfiltrating the very code they were built to protect.
Commentaires