🟠 High | Source: The Hacker News
Researchers at Noma Security have demonstrated that a malicious actor can craft a seemingly innocent issue on a public GitHub repository to manipulate GitHub Agentic Workflows into exfiltrating data from an organisation’s private repositories. The attack requires no credentials, no insider access, and no code changes — just a public issue post. If an AI agent has been granted broad read access across repositories, it can be prompted indirectly to leak sensitive private content, a classic prompt injection scenario applied to agentic AI pipelines.
Security Architect’s Take: Audit and aggressively restrict the repository permissions granted to any GitHub AI agents or Copilot-powered workflows — apply least-privilege so agents can only access the specific repositories they need. Additionally, treat any externally-sourced content (issues, PRs, comments) as untrusted input and evaluate whether your organisation’s agentic workflows have adequate guardrails to prevent prompt injection from public surfaces.
Original advisory: Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data