The experts demonstrated this using an Indirect Prompt Injection (IPI) infected GitHub agent workflow. This was configured to:
- triggered the workflow on `issues.assigned` events in GitHub,
- read the title and body of the issue,
- published a reply comment using the “add-comment” tool, as well as
- with read access to other repositories (public and private) within the organization.
One issue is enough
The experts at Noma Labs emphasize that attackers do not need any programming knowledge, access rights or login details. It is completely sufficient to open an issue in a public repository of an organization that uses GitHub’s “Agentic Workflow” setup and wait.
Although GitHub has various security mechanisms to prevent such a scenario, according to security researchers, these can be overcome through persistence and keywords. As Noma Security Research Lead Sasi Levi reports, he added the keyword “Additionally” when testing different attack variants. This triggered unexpected behavior from the model: the agent reformulated its output instead of rejecting it, according to the expert.
By manipulating the model in this way, he then managed to bypass GitHub’s security mechanisms so that they did not prevent the data leakage. A poc (public repository), a remote-ping (public repository, no README confirmed) and a testlocal (private repository) were then leaked.
Built-in weaknesses in the agent
The process illustrates that the GitHub agent’s context window is also its attack surface. Any content that the agent reads – be it issues, pull requests, comments or files – can be used as a weapon, the experts said. The only condition: The agent must interpret this content as an instruction.
For Noma Labs, prompt injection attacks are to agent-based AI what SQL injection is to web applications: a systematic, category-wide class of vulnerabilities. Combating this requires systematic strategies and defensive measures.
