Top
Best
New

Posted by ColinEberhardt 15 hours ago

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos(noma.security)
478 points | 184 commentspage 4
zero_k 11 hours ago|
Nobody at GitHub expected this? Their feature develoment&release processes must be garbage/non-existent/not followed. This potential security issue should have been flagged when the new feature was thought up, security should have been part of the process of implementing the feature giving continuous feedback, and it should have been tested for before release of the feature. That's how modern security teams work in large, well-functioning organisations.

What is going on over there? No process, no oversight, just YOLO? Super-scary, because it means other stuff that we don't see is likely to be done in a similar manner.

dainiusse 11 hours ago|
You know how it works. There probably were people who didn't want that, but then there is push from business, deadlines, etc.
zero_k 8 hours ago||
It's crazy I am being downvoted, though. Like, I am complaining about their processes that failed, and people are somehow on GitHub's side. Really weird stuff.
klntsky 12 hours ago||
It's insane that no one tried this internally during development
pojzon 1 hour ago||
This is a permissions scope misconfiguration by OP.

It has nothing to do with GitHub and giving it a name is hilarious.

“Look I shoot myself in the foot and now its bleeding. ITS THE GUN MANUFACTURER FAULT”

gitowiec 11 hours ago||
Unfortunate name! It's not an issue with git, it's with GitHub, so the name should be something like HubLost...
emsign 9 hours ago||
LLMs are all about corporate piracy it's just hidden in plain sight.
marak830 13 hours ago||
Who thought having a LLM with access to private information, with public access to ask it questions, would ever be a secure process?

Look I like interacting with these tools as much as the next guy, but I'm certainly not going to trust them with access to information and then allow anyone to send them prompts.

Edit/further thoughts: So (assumable as they said this is disclosed with github's knowledge) this has been patched. But how many different word combinations will it take to find another way to have this occur?

gitaarik 13 hours ago||
It must be something to do with Microsoft being the owner now of GitHub
7bit 13 hours ago|||
Now that's just speculation
marak830 13 hours ago|||
You know what? I had honestly forgotten about that xD. /thread
toomuchtodo 13 hours ago|||
My Lethal Trifecta talk at the Bay Area AI Security Meetup - https://news.ycombinator.com/item?id=44846922 - August 2025 (115 comments)

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

marak830 12 hours ago||
Good read thanks.

Also interesting to see who coined the term prompt injection.

sevenzero 13 hours ago||
Yea agreed. LLM guardrails are either just written prompts as in "Please do not bad stuff :(" or other LLMs verifying that the first LLM didn't so some bs. Both of wich methods do not work sufficiently as time shows again and again.

Funnily enough, nobody expects quality software anymore and errors became tolerable. So thats a win (for someone like me that lost all passion for the industry).

eloisius 13 hours ago|||
Agree with your assessment of guardrails. They barely work on the best days. We need to flip the idea of “agent” on its head. The agent here is an agent of the user interfacing with GitHub. Not an agent of GitHub interfacing with the user. Prompts and guardrails cannot keep the agent loyal to the company. Stop giving these things any permissions the user doesn’t have, and recognize them for what they are: a different UI than web forms, but still the same security model.
consp 13 hours ago||||
That last part is I think called negligence. And in some industries that becomes criminal negligence quite quickly.
sevenzero 13 hours ago||
Most companies I ever worked for inherently operate on criminal negligence, and even when addressed, have no interest in fixing it.
zzril 11 hours ago||||
Guardrails are essentially part of the input. Saying "but we have guardrails" is like saying "but we do trust part of the input".

Either way, even if you trust 100% of the input, there is actually no way to guarantee that you can trust the output of the LLM. (Which, I guess, is also true for every dependency you pull in. But for those, you at least have ways to audit them.)

zzril 12 hours ago||
> In most agentic prompt injection attacks, the agent treats the wrong content as a trusted source of instructions and allows itself to be misdirected or misused. This happens when the system fails to maintain a strict trust boundary between system-level directives and untrusted user data.

How on earth is a probabilistic token predictor supposed to turn untrusted user input into trusted system-level directives? The strict trust boundary must be maintained on this side of the agent, not within it.

kstenerud 9 hours ago||
I've been beating a dead horse over this for months now but nobody seems to listen until it's too late...

1) Sandbox any LLM that has access to tools (I don't mean the pathetic sandboxes the agent harnesses provide).

2) Assign them credentials and use auth/access control like you would for a human.

noisy_boy 4 hours ago||
This is like repeatedly trying to train a dog with amnesia to not poop in the bedroom. Despite the dog repeatedly doing so and moreover being particularly easy to be fooled into doing so.

It can't reliably learn so stop trying to teach it. Lock the bedroom instead.

jerrycat101 10 hours ago|
i still dont understand how the cyber security industry doesnt become huge with AI attacks and everything nowadays...
More comments...