Archive for Noma

A single GitHub Issue was enough to leak private repos

Posted in Commentary with tags on July 8, 2026 by itnerd

A critical prompt-injection vulnerability in GitHub Agentic Workflows could allow unauthenticated attackers to leak private repository data. A single crafted GitHub Issue was enough to trick the AI workflow into pulling content from private repos and posting it publicly. The agent had broad read access and treated user-submitted text as executable instructions rather than untrusted input, requiring no credentials from the attacker.

Gidi Cohen, CEO & Co-Founder, Bonfy.AI had this to say:

“This disclosure shows that AI-powered automation is now a real exfiltration risk, not a theoretical one, and leaders need to treat it with the same seriousness as SQL injection. A single crafted GitHub Issue was enough to trick an AI workflow into pulling content from private repositories and posting the results publicly, because the agent had broad read access and treated user text as executable instructions rather than untrusted input.

The deeper lesson is structural: an AI agent’s context window is effectively its attack surface, and anything it reads, such as issues, pull requests, comments, files, tickets, can be weaponized if the system does not enforce clear boundaries between ‘data’ and ‘commands.’ This is bigger than GitHub. Any agentic AI wired into production systems, given powerful credentials, and controlled through natural language creates a new, systemic vulnerability class. Executives should assume prompt injection is inevitable and focus on governance: enforce least-privilege access for agents, strictly constrain what they can post or expose publicly, and mandate sanitization or filtering of all user-controlled content before it reaches AI workflows.

The questions leaders should now be asking their teams are simple and pointed: where are AI agents plugged into our workflows, what can they read and write, and what stops a single malicious ticket, issue, or chat message from triggering a large-scale leak? Framed well, this becomes a ‘responsible automation’ stance: we will move fast with AI, but not by blindly expanding our attack surface in ways we do not understand.”

Again, this illustrates that organizations need to have defenses that are on point. Because we’re seeing good guys come out with exploits quickly. Which means that the bad guys will come out with exploits quicker.