Originally published on rohitraj.tech
On July 7, 2026, researchers tricked GitHub's AI agent into copying a private repo and posting it as a public comment — no code, no credentials, one word. GitLost is not a GitHub bug you wait for a patch on; it's the prompt-injection class every coding agent inherits the moment you give it real permissions. Here's how the attack works, why it can't be fully patched, and the least-privilege playbook I use to keep my own agents from leaking data.
Read the full version with code samples, diagrams, and architecture details: GitLost: The Prompt-Injection Class Every AI Coding Agent Inherits — and How to Defend Yours (2026)
More engineering notes: rohitraj.tech/en/notes
Top comments (0)