A public issue, a private leak — no credentials required
Security researchers at Noma Security have demonstrated a troubling attack vector targeting GitHub Agentic Workflows. The premise is deceptively simple: an attacker opens a normal-looking issue on a public repository. That’s it. No stolen credentials. No direct access to the organization’s internal systems.
If the targeted organization has granted the agent read access across its repositories — including private ones — the contents of those private repos can be exfiltrated. The attack works because the agent, designed to automate responses and actions, can be tricked into following instructions embedded in the issue itself.
The finding raises serious questions about how much trust organizations are placing in automated workflows that interact with untrusted input.
How the attack works: poisoning the prompt
GitHub Agentic Workflows are a relatively new feature that allows AI-driven agents to respond to events like issue creation, pull requests, or comments. They can be configured with broad permissions — including read access to private repositories — to perform tasks like triaging bugs, summarizing code changes, or generating patches.
Noma’s research shows that an attacker can craft a public issue containing what amounts to a prompt injection. The agent, upon processing the issue, interprets the injected instructions as legitimate commands. In the proof of concept, the attacker instructed the agent to read files from a private repository and then send those files to an external server controlled by the attacker.
“The agent doesn’t know the difference between a legitimate task and a malicious one,” said a Noma researcher. “It just follows the instructions it’s given, based on the context it has access to.”
The entire chain requires no exploitation of GitHub’s infrastructure — just a public issue and an agent with overly broad permissions.
Why this is different from a typical supply chain attack
Most supply chain attacks on GitHub involve compromised credentials, malicious dependencies, or vulnerabilities in Actions runners. This attack is different. It exploits the trust model of the agent itself.
The agent is given a high-privilege token or access scope — often for convenience — and then exposed to user-generated content that can manipulate its behavior. It’s a classic prompt injection vulnerability, but applied to an infrastructure automation context rather than a chatbot.
“The real issue is the gap between the permissions an agent needs to do its job and the permissions it actually gets,” the researcher added. “Teams often err on the side of giving too much access because it’s easier than fine-tuning.”
Who is most at risk
Any organization using GitHub Agentic Workflows with read access to private repositories is potentially vulnerable. That includes:
- Companies using agents for automated code review or issue triage across both public and private repos
- Open-source projects where maintainers have connected agents to internal repositories for dependency management or security scanning
- Teams that have not restricted the agent’s scope to specific repositories or actions
The attack surface is particularly wide for organizations that run public repositories alongside private ones under the same GitHub organization. A single public issue on any public repo in that organization can trigger the agent — if the agent is configured to listen to all issues.
Mitigation: least privilege and input sanitization
Noma Security recommends several practical steps to reduce the risk:
- Restrict agent permissions. Give the agent only the minimum access it needs — ideally scoped to specific repositories and specific actions. Avoid granting blanket read access across all repos.
- Use a separate agent for public vs. private repos. If an agent must interact with public issues, keep it isolated from private data. Use a different agent or a different token for internal workflows.
- Sanitize and validate inputs. Treat any content from public issues, comments, or pull requests as untrusted. Implement checks that strip or escape potentially malicious instructions before they reach the agent.
- Audit agent behavior. Log all actions taken by the agent and review them for anomalies. Set up alerts for unexpected file reads or data exfiltration patterns.
GitHub has been notified of the finding. The company has not yet issued a public statement or patch, but the vulnerability is inherent to how agents interpret natural language instructions — not a bug in GitHub’s code per se.
The bigger picture: agent security is still immature
This research is a reminder that AI agent security is still in its early days. As more platforms integrate autonomous agents that can read, write, and act on data, the attack surface expands dramatically. The same qualities that make agents powerful — their ability to interpret context and take independent action — also make them vulnerable to manipulation.
“We’re seeing the same pattern we saw with early web applications,” said a security analyst not involved in the research. “Developers are excited about what agents can do, and security is an afterthought. That’s how breaches happen.”
For now, the safest approach is to assume that any public-facing input can be weaponized. Until agent platforms build robust guardrails — like mandatory input validation, permission boundaries that cannot be overridden by instructions, and human-in-the-loop approval for sensitive actions — organizations should treat agentic workflows with the same caution they’d give any internet-facing service.
The Noma team plans to release a full technical write-up and a proof-of-concept video in the coming weeks. For organizations already using GitHub Agentic Workflows, the time to audit permissions is now — before an attacker opens that first issue.