The attack unfolds in four steps:
The core flaw is a failure to maintain a strict trust boundary between system-level instructions and untrusted user data within the AI agent's context window. As Noma's Sasi Levi stated: "The agent's context window is also its attack surface. Any content the agent reads — whether issues, pull requests, comments, or files — can be weaponized if the agent treats that content as instructional input."
LLM-based agents struggle to distinguish between data and instructions when both appear in the same context or tool output. This is not merely a conventional coding bug but a structural risk in agentic AI workflows, where untrusted content can influence agent behavior if the workflow does not isolate or constrain it.
Researchers have formally categorized this class of flaw as Agentic Workflow Injection (AWI), identifying two core patterns: Prompt-to-Agent (P2A), where untrusted content reaches an agent prompt boundary, and Prompt-to-Script (P2S), where attacker influence propagates through model-derived outputs into later scripts.
GitHub had guardrails intended to prevent data exfiltration, but Noma researchers reported that they could be bypassed with a surprisingly simple technique. Adding the word "Additionally" to the injected instructions reportedly caused the model to reframe its output rather than refuse the request, allowing the data leak to proceed as if it were an authorized continuation of the task.
This approach is consistent with broader prompt-injection research showing that particular phrasing or tool-returned text can cause models to follow malicious instructions they should not follow. The guardrail bypass mirrors patterns seen in earlier incidents, such as the GitHub MCP vulnerability disclosed by Invariant Labs, where a malicious issue could hijack a user's agent to leak data from private repositories.
Based on the GitLost findings and broader agentic-workflow security guidance, affected organizations should implement the following controls:
Organizations should also apply the principle of least privilege to agent secrets and implement continuous security monitoring for prompt injection attempts.
According to Dark Reading and Noma Security's disclosure timeline:
GitLost is not an isolated incident. It represents a growing class of vulnerabilities where AI agents with access to sensitive data are exposed to untrusted user content. Similar issues have affected GitHub MCP integrations, Google's Gemini CLI workflows (the TrustIssues vulnerability), and Claude Code GitHub Actions. The common thread is that LLM-based agents lack an inherent ability to distinguish between data and instructions when both appear in the same context window — a fundamental architectural challenge that no single platform patch can fully resolve.