GitLost: How GitHub's AI Agent Leaks Private Repos When Asked Nicely — A Guide to Running AI Agents Safely
A breakdown of "GitLost," the vulnerability that lets AI agents leak private repositories. For Japanese companies operating in the Philippines, we walk through security measures you can apply right now — from minimizing agent permissions to incident response, including notifying the NPC.
GitLost: How GitHub's AI Agent Leaks Private Repos When Asked Nicely — A Guide to Running AI Agents Safely
A new vulnerability called "GitLost" lets private code leak just by asking an AI politely. This guide explains, from a hands-on perspective, the permission design and incident response you need to run AI agents safely at your Philippine operations.
Part 1: Why This Matters
Step 1: The Philippine Business Context (3 min)
The Philippines is becoming an ever more prominent base for Japanese companies to entrust with IT development and software operations. Manila and Cebu are home to many local teams that support the system development of Japanese head offices, and GitHub (a service for storing and sharing program source code) is used there every day.
Now "AI agents" are starting to enter those development sites. An AI agent is an AI that carries out work automatically on a person's behalf. On GitHub, too, a mechanism in which AI executes work by itself is now offered, and trial adoption is progressing even at the Philippine bases of Japanese companies.
What this article conveys is a problem in which, "just by making a polite request in writing" to that AI agent, anyone can leak private source code — which should never leave the company — to a place where anyone can see it. The fact that even an attacker with no specialized knowledge can pull it off carries especially heavy meaning for Japanese companies.
Philippine bases handle important information from the Japanese head office, yet their security management structures are sometimes not fully in place. Incidents tend to happen in this order: the local site adopts an AI agent first "because it's convenient," and before the Japanese side notices, information has already gone outside.
In a Manila office, a Japanese manager broaches the topic with the local IT lead: "We've started letting AI do automated work on our GitHub too, right? Apparently, overseas, there was a case where private code leaked just by asking the AI politely. The attacker didn't even need programming knowledge. Could you go through our permission settings with me sometime?" That single remark becomes the first step toward protecting the entire base.
Step 2: Organizing the Key Points of the Original Article (5 min)
We've organized the facts reported in the original article for study purposes.
| Item | Details |
|---|---|
| Name of the vulnerability | "GitLost." A researcher at the security firm Noma Labs discovered and named it |
| The problematic feature | GitHub's "Agentic Workflows." A mechanism in which AI agents using Claude or GitHub Copilot automatically execute work on GitHub Actions |
| What the attack involves | The attacker creates an Issue (a posted work request) in a public repository and slips a command into its body in plain English. The AI agent pulls information from a private repository in the same organization and writes it into the public Issue as a comment |
| What the attack requires | According to Sasi Levi, research lead at Noma Security, no coding skills, access rights, or credentials were needed. You just open a single Issue in the organization's public repository and wait |
| The demonstration example | A post impersonating a "VP of Sales" embedded — amid things like changing the color of a login page — a sentence asking for the README contents of two repositories. The agent retrieved files from both the public and the private repository and posted them as a public comment |
| Status of the fix | Because prompt injection cannot be fully fixed in code, a documentation-based warning was proposed. However, as of publication GitHub had not issued any documentation and did not respond to inquiries |
Source: The Register — "GitHub AI agent leaks private repos when asked nicely" (July 7, 2026)
This table was created for study purposes based on publicly available facts. Please check the original article at the link above for details.
Related: see How AI Agent Development Helps Philippine Businesses Automate Beyond Prompt Engineering.
Step 3: Comprehension Check (5 min)
Q1. A researcher at which company discovered and named the "GitLost" vulnerability?
Hint: It's the name of a security firm that appears in the original article.
Q2. What is the GitHub feature that was abused in this attack called?
Hint: It's the name of the mechanism by which AI agents execute work automatically.
Q3. To make the attack work, did the attacker need coding skills or credentials?
Hint: The research lead clearly stated they were "not needed."
Q4. Where did the AI agent ultimately output the information it pulled from the private repository?
Hint: It's a place anyone can view.
Q5. Was the proposed countermeasure a fix in code, or something of a different kind?
Hint: Prompt injection cannot be fully fixed in code.
Related: see How AI Adoption Helps Philippine SMEs Stay Competitive in 2026.
Part 2: Applying This in Practice
Step 4: Adoption Steps in the Philippines (10 min)
Rather than stopping AI agents, we've summarized how to use them safely in five stages, with notes on what to watch for when rolling this out at a Philippine base.
| Step | What to do | Philippine-specific note |
|---|---|---|
| 1. Take inventory | List which AI agents in your company can access which repositories, and how far | Tools introduced individually at the local site are sometimes unknown to the Japanese head office. Start by identifying them together with the local IT lead |
| 2. Minimize permissions | Separate public and private repositories, and keep the permissions granted to agents to the necessary minimum | Reviewing security settings costs money. Budgeting for it from the start — on the order of tens of thousands to hundreds of thousands of pesos — makes planning easier |
| 3. Don't trust input | Treat Issues and comments arriving from outside as "untrusted instructions," and design things so an agent won't fetch confidential data based on that content alone | Verbal agreements tend to be valued locally, but be sure to put this design policy in writing so it can be handed over even when staff change |
| 4. Prepare incident procedures | Create a response manual that decides who reports what, by when, and to where when information leaks | Under the Philippines' data privacy law, a breach requires notifying the supervisory authority, the National Privacy Commission (NPC). Build this notification into your procedures |
| 5. Explain and embed locally | Explain to local staff, with concrete examples, why these settings are necessary, and make the operating rules take root | Hold a short briefing and show actual attack examples to deepen understanding. Always set aside time to take questions |
Step 5: Common Mistakes and Countermeasures (5 min)
Here are three mistakes that tend to happen when tackling this theme at a Philippine base.
Mistake Pattern 1: Continuing to use agents with broad permissions "because it's convenient"
Bad example: Simply because the local team wants to get work done faster, they hand the AI agent free access to both public and private repositories. Operation continues with no one ever checking the scope of the permissions.
Good example: Keep the permissions granted to agents to the minimum needed for the work. Check one by one whether access to private repositories is truly required, and remove what isn't.
Mistake Pattern 2: Reporting an incident only to the head office and neglecting to notify the local authority
Bad example: A breach is reported only to the Japanese head office, and notification to the Philippines' National Privacy Commission (NPC) is put off. Local legal compliance falls through the cracks.
Good example: When an incident occurs, proceed in parallel with reporting to the Japanese head office and notifying the NPC. Write down in advance, in the response manual, who is responsible for which.
Mistake Pattern 3: Only warning local staff verbally, with no documented rules
Bad example: You finish by verbally telling staff to "watch out for suspicious Issues." When the person in charge transfers, the cautions are handed over to no one.
Good example: Compile the operating rules into a short document and place it where anyone can read it. Share it with new staff at the same briefing so everyone applies the same standard of judgment.
Part 3: Learning More Deeply
Step 6: Related Technical Terms (5 min)
Prompt injection (an attack that slips unauthorized commands into instruction text) is a technique that quietly mixes commands into the text the AI reads, steering the AI into behavior different from its intended purpose. In this attack, a sentence asking for private files was mixed into the body of an Issue impersonating a sales rep, making the agent comply. At Philippine development bases too, if inquiries or Issues arriving from outside are handed to the AI to process as-is, there is a danger of being deceived in the same way.
An AI agent (an AI that automatically advances work on a person's behalf) receives instructions, judges on its own, and executes multiple tasks in sequence. GitHub's Agentic Workflows (the autonomous-execution mechanism) that became the issue this time is a prime example. In Manila IT departments, entrusting testing and code cleanup to agents is on the rise, and it's worth noting that, in exchange for convenience, oversight becomes harder to maintain.
A repository (a code storehouse) is a place to keep program source code and files together, and there are "public" ones anyone can see and "private" ones for internal use only. The core of this incident is that a public repository was used as the entry point to extract the contents of a private repository in the same organization. When a Philippine base shares repositories in the same organization as the Japanese head office, managing this boundary translates directly into the safety of your information.
Data exfiltration (carrying information out to the outside) refers to confidential information leaving the company without anyone noticing. The article flagged the danger of an agent quietly carrying information out. At Philippine bases, where much of the work handles customer and design information, keeping audit logs (records of operations) that let you notice this kind of "quiet leak" forms the foundation of your defense.
A PoC (proof of concept) is a sample that actually runs an attack or technique to confirm whether it really works. This time, the researcher actually reproduced and published the steps by which the attack succeeds. When considering a new AI tool in the Philippines too, it helps to adopt the stance of testing safety on a small scale before expanding, rather than judging from sales materials alone.
Step 7: Thinking About How to Apply This at Your Company (10 min)
Inventory the permissions of the AI agents your company uses
Something to consider: Do you have a grasp of which repositories and systems the AI agents currently running in your company can touch, and how far? You can't protect what you can't see.
Treat external input as "untrusted"
Something to consider: Aren't Issues, emails, and inquiries arriving from customers or outside parties being executed by the AI as instructions as-is? Consider whether you can set up a checkpoint where a human reviews them once.
Align the incident contact routes between the Japanese head office and the Philippine base
Something to consider: If an information leak happened at your base today, who would contact the head office, and who would contact the NPC? If roles aren't decided, the initial response will be slow.
Next action: First, take just 30 minutes with your local IT lead and write out, on a single sheet of paper, "the AI agents running in the company and their access scope." Making it visible is the starting point for every countermeasure.
Part 4: FAQ
Q1. Should we stop adopting AI agents altogether?
There's no need to stop. The problem lies not in the tool itself but in how permissions are granted and how input is handled. If you minimize the access scope and design things so external input isn't trusted unconditionally, you can reduce the danger while keeping the convenience. At Philippine bases, the safe approach is to test small first and then expand.
Q2. We only use private repositories. Is this still relevant to us?
Yes, we recommend checking. This attack exploits the fact that public and private repositories coexist within the same organization. Inspect your organization-wide settings once to see whether you can truly say "there isn't a single public repository." If the Japanese head office and the Philippine base share the same organization, you need to check from both perspectives.
Q3. If an information leak happens in the Philippines, what should we do first?
After stopping the damage from spreading, proceed with reporting to the Japanese head office and notifying the Philippines' National Privacy Commission (NPC). Writing down in advance, in a response manual, who handles which speeds up the initial response. Especially when personal information is involved, it's important not to put off local legal compliance.
Q4. How can we raise local staff's understanding of security?
Rather than abstract cautions, a briefing that shows actual attack examples like this one is effective. Showing, with concrete examples, that "even what looks like a polite request can hide a command" makes it easier to get the point across. Don't finish with words alone; compile it into a short document and place it where anyone can read it.
Q5. There's a gap in urgency between the Japanese head office and the Philippine base. How do we close it?
Start by aligning the incident contact routes and standards of judgment into a shared document for both bases. In the Philippines there is also a culture that values verbal agreement, but if you always put security procedures in writing so they can be handed over even when staff change, the gap will narrow.
Tips for Making the Most of This (3 Tips)
Write out your company's AI agents in a single table If you can't see what touches what and how far, you can't set countermeasure priorities either. Just listing the running agents and their access scope makes the dangerous spots stand out clearly.
Insert one "human check" into external input A flow in which the AI executes Issues and inquiries as-is is the very entry point of this attack. Setting up a checkpoint where a person reviews things once before operations involving confidential data can stop commands hidden in a polite request.
Standardize incident contacts across the head office and the base Deciding roles after an information leak has already happened is far too late. Compile into a single response manual who will, by when, report to the Japanese head office and notify the Philippines' NPC.
Bonus: How to Use PH AI Works
PH AI Works is a solutions company that supports the use of AI and technology in the Philippines. Safe operation of AI agents, as in this case, is a theme where convenience and danger sit back to back, and design tailored to local circumstances is essential.
As a next step, you can consult us on things like the following.
- Visualizing the access scope of the AI agents running in your company and organizing a permission-review policy together
- Supporting the creation of an incident-response manual grounded in the Philippines' data privacy law (NPC)
- Designing a security briefing for local staff that incorporates concrete attack examples
Even at the stage of "we don't know where to start," that's fine. Please feel free to reach out first. Consultation is free.
References & Sources
About the author

Founder / AI Engineer (36+ years in IT)
- ●From Tokyo · based in Manila for 13+ years
- ●36+ years in IT (development, SEO, AI)
- ●IBM Certified Generative AI Engineer
- ●AI chatbots, RAG & AI agent development
A Japanese AI engineer with 36+ years in IT and 13+ years on the ground in the Philippines. I write from hands-on experience to help Japanese companies adopt AI that actually delivers results — chatbots, workflow automation, AI agents, and AI-driven marketing. Feel free to reach out in Japanese or English.
Your Competitors Are Already Using AI!
Is your business keeping up?
Related Articles
Lean AI Transformation: Cutting Waste Before Adopting AI in the Philippines
Lessons from logistics giant C.H. Robinson's Lean AI transformation, applied to business automation and AI adoption in the Philippines. For Japanese companies operating in or expanding to the Philippines, we cover how to start by cutting wasted time, how to avoid common mistakes, and what to watch for on data privacy.
7/6/2026
How West Shore Home Uses AI to Double Revenue with 1,000 Fewer Hires — and Why the "Last Mile" Still Belongs to People
A look at how U.S. remodeler West Shore Home used AI to hold back 1,000 hires while doubling revenue, written for Japanese companies operating in the Philippines. Covers how to roll out automation, guard against hallucinations, explain the change to local staff, and stay mindful of NPC rules.
7/5/2026
What the "Devin-kun" Phenomenon Teaches Us About AI Agents: The Impact on Philippine IT/BPO Work and Japanese Companies
Using "Devin," the AI agent spreading rapidly across Japan, as a lens, we map its impact on Philippine IT and BPO work and lay out the steps to adopt it. A practical, plain-language guide for Japanese companies in the Philippines and those considering entry — covering implementation steps, regulations, and how to avoid common failures.
7/4/2026
Cisco Rolls Out AI Agents to All 90,000 Employees: A Company-Wide AI Adoption Guide for Japanese Companies in the Philippines
Drawing on Cisco's rollout of AI agents to all 90,000 of its employees, this practical guide walks Japanese companies operating in the Philippines through the adoption steps, cost estimation, NPC regulations, and data handling rules they need to get right.
7/3/2026
Why Rising Electricity Costs Are Fueling a Rooftop Solar Boom in the Philippines | A Cost Guide for Japanese Companies
A practical guide to the Philippines' surging rooftop solar movement, written for Japanese companies operating locally. It covers Meralco's rate hikes, installation steps, payback periods, and local regulatory pitfalls from a hands-on, cost-management perspective.
6/29/2026
A 50-Year-Old Shop Turns to TikTok Shop: Retail Digital Transformation Lessons for the Philippines
A look at how a long-standing U.S. snack shop used TikTok Shop and online sales to overcome falling foot traffic, with practical lessons for Japanese companies entering the Philippines — covering how to launch online and social commerce, plus local tax and regulatory points to watch.
6/29/2026
