‘GitLost’: researchers tricked GitHub’s AI agent into leaking private repos
What happened
A security firm called Noma Labs uncovered a critical flaw in GitHub’s AI coding assistant that lets someone extract private repository contents simply by opening a politely worded issue. This exploit, dubbed GitLost, tricks GitHub’s conversational AI agent into revealing private code that should be inaccessible. The vulnerability is not a coding bug that can be patched, but rather a logic problem in how the AI handles queries about private repos. GitHub has not documented or formally acknowledged this flaw yet.
The risk
The problem exposes private intellectual property, sensitive development projects, and proprietary codebases to unauthorized access without needing traditional hacking methods. Because the leak happens through natural language interaction, an attacker does not require complex exploits or direct repository access. Any GitHub user able to open issues on a repo could retrieve private code, making the attack surface surprisingly wide. This weakness lowers trust in GitHub’s AI tooling as a safe assistant around sensitive code.
Why it matters
This leak pressures organizations to rethink how much they rely on AI agents integrated with their private code on GitHub. It weakens the basic assumption that AI assistants will keep private code secure during natural language interactions. Builders using GitHub’s AI for productivity gains must treat it as a potential security risk, especially for high-value or sensitive projects. It also forces GitHub to reconsider AI architecture and access controls fundamentally, rather than relying on standard software patches.
Who should pay attention
Developers and operators managing private GitHub repositories must reassess the operational risks of AI coding assistants. Security teams need to evaluate AI interactions as part of their threat model on developer platforms. Founders and investors in AI-powered code tools should watch how this affects adoption and liability. AI product teams should learn that language-based interfaces to code repositories require stronger containment strategies.
What to watch next
Look for GitHub’s official response and any updates to AI agent access policies or new security controls. Watch for broader industry moves to secure AI agents that interact with private developer data. See if other AI platforms with code integrations face similar challenges. This issue pressures AI tooling providers to build more robust limits on data exposure during conversational interactions.
AI Quick Briefs Editorial Desk