Researchers at Noma Security have demonstrated a vulnerability in GitHub's Agentic Workflows that allows an attacker to leak private repository contents by simply opening a crafted issue on a public repository. The attack, dubbed 'GitLost' by Dark Reading, requires no stolen credentials or prior access to the target organization.

The flaw's severity lies in its low barrier to entry: an unauthenticated attacker can silently exfiltrate data from private repos if the organization has granted the agent read access across its repositories. No CVSS score or specific affected version numbers were provided in available sources, though the attack relies on the agent's broad permissions rather than a software bug.

Technically, the attacker creates a normal-looking issue on a public repository. The agentic workflow, designed to automate responses, inadvertently exposes private data when it processes the issue. Dark Reading notes the attack is 'silent,' meaning the organization may not detect the ongoing exfiltration. Indicators of compromise have not been detailed by either source.

GitHub has not yet released a patch or acknowledged the vulnerability publicly. Organizations using Agentic Workflows should review their repository permissions immediately, limiting agent read access to only necessary repos. No workarounds have been published, but restricting agent scope to public repos would block the attack vector.

Attribution points to Noma Security as the discoverer; no threat actor group has been linked. The broader implication is that organizations may unknowingly expose sensitive codebases by over-provisioning CI/CD agent permissions—a recurring theme in supply chain security.