GitHub Agentic Workflows Leak Private Repo Data via Public Issue

ยท
Listen to this article~4 min
GitHub Agentic Workflows Leak Private Repo Data via Public Issue

A public issue can trick GitHub Agentic Workflows into leaking private repo data. Researchers at Noma Security show how attackers exploit this flaw without credentials. Learn how to protect your organization.

### The Vulnerability in a Nutshell Security researchers at Noma Security have uncovered a serious flaw in GitHub's Agentic Workflows. They showed that a simple public issue can trick these automated systems into spilling the contents of an organization's private repositories. An attacker doesn't need stolen credentials or special access. They just open a normal-looking issue on a public repository. If that organization has given the agent read access across its repos, private ones become exposed. It's that straightforward. ### How the Attack Works GitHub Agentic Workflows are designed to automate tasks like code review and issue triage. But they can be manipulated. Here's the breakdown: - The attacker creates a public issue on a repo the organization owns. - The issue contains a carefully crafted prompt that triggers the agent. - The agent, acting on its instructions, fetches data from private repositories. - That data gets leaked back into the public issue thread. No hacking required. No brute force. Just a cleverly worded request. ### Why This Matters for Your Security If your team uses GitHub Actions or any automated workflow with broad read permissions, you're at risk. The agent doesn't know it's being tricked. It follows commands based on its programming. Think of it like a helpful assistant who'll fetch any file you ask for, even if it's in a locked drawer. The assistant doesn't question the request. It just opens the drawer. ### Protecting Your Private Repos So what can you do? Start by tightening agent permissions. Don't give blanket read access across all repositories. Limit each workflow to only the repos it absolutely needs. - Review all GitHub Action configurations. - Use fine-grained access tokens instead of broad permissions. - Monitor public issue threads for suspicious activity. - Educate your team about this specific attack vector. Remember, this isn't a bug in GitHub's code. It's a feature being exploited. The system works as designed, but the design has a dangerous loophole. ### Real-World Implications For companies in the US handling sensitive code, this is a wake-up call. Private repos often contain proprietary algorithms, customer data, or internal tools. A leak could mean lost intellectual property or compliance violations. Imagine a startup with its source code in private repos. A competitor opens a public issue, triggers the agent, and suddenly has access to the product roadmap. That's not a hypothetical scenario anymore. ### What Experts Recommend Noma Security suggests treating GitHub Agentic Workflows like any other privileged system. Apply the principle of least privilege. Audit what each agent can access. And always assume a public issue could be a threat. - Set up alerts for unusual agent activity. - Test your own workflows with simulated attacks. - Consider disabling agentic features until you've reviewed permissions. ### Final Thoughts This vulnerability shows how automation can backfire. We trust these tools to make our lives easier, but we need to stay skeptical. A few minutes reviewing your GitHub setup today could save you from a major breach tomorrow. Stay sharp, stay secure, and always question what your agents can do.