Fetching from the wire…
Top 5 · 2026-07-08 · source-backed
A GitHub Issue. No code, no credentials, no access. Just a paragraph of English that tells an AI agent to copy your private repo into a public comment. That's GitLost, and it works whether the agent runs on Copilot, Claude, Gemini, or Codex. (Noma Security)
Noma Security disclosed it this week: a prompt-injection flaw in GitHub Agentic Workflows, which have been in public preview since February. An unauthenticated attacker posts a crafted public Issue whose body instructs the workflow agent to pull private-repo data and post it back as a public comment. The agent, doing exactly what agents do, treats the Issue text as instructions rather than data and complies. The HN thread hit 327 points, and The Register, Dark Reading, and The Hacker News all covered it, so this isn't a single-source scare.
The reason this one lands harder than a typical CVE is the blast radius. It's model-agnostic. The vulnerability isn't in Copilot or Claude specifically, it's in the pattern of wiring an LLM agent up to untrusted public input with write access to private context. Cyera published a related argument this week titled "The MCP Governance Illusion," making the point that securing individual tools misses the real risk surface, the data, identities, and cross-system access those tools broker. (Cyera) GitLost is that thesis with a working exploit attached.
This connects to a nasty week for agent security generally. Ars Technica documented HalluSquatting, which weaponizes LLMs' inability to say "I don't know" by registering the package names models hallucinate, turning agent confidence into a distribution vector for botnets across nine popular AI tools. (Ars Technica) And the Vera framework paper hit a 93.9% average attack-success rate against four production agent frameworks. (arXiv)
What to do today: audit every agentic workflow that reads untrusted input (issues, PR comments, emails, webhooks) and has access to anything private. Treat all external text as data, never as instructions. If your agent can both read a public Issue and write to a private repo in the same context window, you have a GitLost waiting to happen. The uncomfortable part is that this is structural, not a patch you install once. The composability that makes agentic workflows useful is the exact thing that makes them a confused-deputy problem.
Each link below shares sources, entities, or timing with this story.
Cyera supports Claude Code / Shared entities / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Cyera supports Claude Code); both cover Claude, Codex, Copilot, Gemini; reported by the same outlet (arxiv.org).
Copilot uses Claude / Shared entities / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Copilot uses Claude); both cover Ars Technica, CLAUDE, February; reported by the same outlet (arstechnica.com).
Cyera supports Claude Code / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Cyera supports Claude Code); both cover Claude, Codex, Copilot, Gemini; overlapping topics (agent, claude, context, tool).