A critical security flaw identified as GitLost allows attackers to extract sensitive information from private repositories using simple natural language commands. The vulnerability targets GitHub Copilot's Agentic Workflows, a feature designed to automate coding tasks. By hiding malicious instructions within a public issue, an attacker can trick the AI agent into retrieving data from a user's private repository and posting it as a public comment.
The exploitation of GitLost is particularly dangerous because it bypasses traditional security barriers in several ways:
- No coding skills required: The attack uses standard language prompts rather than exploit code.
- Zero credentials: Attackers do not need prior access to the victim's private environment.
- Stealthy execution: Malicious instructions are embedded in the description of public issues where they may go unnoticed.
Currently, the GitHub platform has not released a formal patch for this prompt injection bypass. Users relying on Copilot's automated workflows should remain cautious about the visibility of their private metadata and secrets, as the system can be manipulated to treat external instructions as high-priority tasks.

