GitLost: researchers trick GitHub's AI agent into leaking private repos

The 'GitLost' research, published by Noma Security, demonstrates how attackers can manipulate GitHub's AI coding agent into exfiltrating private repositories—a concrete exploit against the kind of autonomous agent now embedded in developer workflows. It hit 510 points and 192 comments on Hacker News, reflecting acute anxiety about agentic AI security.
Mechanically, agent exploits typically abuse the agent's tool permissions and trust boundaries: a maliciously crafted prompt, file, or repo content coaxes the agent into performing actions (like reading and leaking private code) that a human wouldn't authorize. As agents gain autonomy and access, their attack surface expands—prompt injection becomes a data-exfiltration vector, not just a nuisance.
Competitively and thematically, this is a week where agent security surfaced repeatedly: AWS published guidance on the inevitability of system-prompt leakage (system prompts hold proprietary role definitions and tool descriptions) and detailed securing Bedrock AgentCore Runtime with AWS WAF, while Alibaba's Claude Code backdoor allegation raised parallel trust questions. Together they signal that as agentic AI ships into production, its security model is immature. Skeptics argue the industry is deploying agents faster than it can secure them. Watch GitHub/Microsoft's mitigation response and whether disclosures like GitLost slow enterprise agent adoption.