Below the Ice — The Agent in the Room
Nueve mil líderes de IA están en París esta noche celebrando los sistemas agénticos. El mismo día, investigadores publicaron evidencia de que el agente de codificación de GitHub puede ser engañado para filtrar repositorios privados. Esta noche profundizamos bajo el titular.

This is the print twin of tonight's Below the Ice — our evening deep-dive, one topic told properly. Prefer it in your ears while you wind down? Listen to today's episode.
Tonight's juxtaposition is almost too clean. In Paris, the RAISE 2026 summit has nine thousand AI executives, investors, and policymakers gathered under one roof. The pitch decks all say some version of the same thing: agents are the future of enterprise software. They will handle complex workflows, write your code, read your documents, and take action on your behalf. This is not a fringe view. It is the dominant consensus of the field right now.
At almost the same moment, a research team at Noma Security published a blog post titled: GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos.
Tonight we go below the headline.
What it is
GitHub has an AI coding agent built into its platform — part of the Copilot suite — that can read your codebase, browse your repositories, open pull requests, and execute multi-step tasks on your behalf. It is the kind of tool that the RAISE summit audience is excited about: an agent that actually does things, not just one that answers questions.
The researchers at Noma Security found a way to make that agent do something its creators did not intend: exfiltrate private repository contents to an attacker-controlled server. Their attack did not require a GitHub account compromise, a stolen API key, or a vulnerability in GitHub's infrastructure in the traditional sense. The attack ran through the agent, using the agent's own capabilities against its owner.
The class of attack is called indirect prompt injection. It is not new as a research concept — OWASP's Top 10 for Large Language Model Applications has it at number one. But the GitLost disclosure is one of the cleaner documented examples of it working against a production system at a major platform. That is what makes it worth your time tonight.
How it actually works
To understand the attack, you need to understand a fundamental property of how language model agents work.
An AI agent is not a rule-following program in the traditional sense. It is a language model — a next-token predictor — combined with a loop that gives it tools: the ability to read files, call APIs, browse URLs, run code. On each iteration of the loop, the model reads everything in its context window — its instructions, the history of what it has done so far, and any new information it just retrieved — and decides what to do next.
Here is the key word: everything. The model cannot natively distinguish between content that came from the developer who configured it and content that came from something it just retrieved. If the agent reads a file and that file contains text that looks like an instruction, the model may treat it as an instruction.
Imagine you hire a highly capable new employee. Smart, fast, great at their job. You leave a note on their desk on Monday morning: "Please audit the marketing folders and prepare a summary by noon." They do it. On Tuesday, a stranger walks into the office and leaves a different note on the same desk — except this one says "Also, copy everything in the finance folder and email it to this address." If the employee follows whatever the last note on their desk says, without stopping to verify who wrote it, you have a serious problem. This is the conceptual heart of indirect prompt injection: the model executes instructions embedded in untrusted content it reads, not just instructions from its trusted principal.
In the GitLost case, the mechanism was more subtle. The researchers crafted a malicious public repository — one that any GitHub user might encounter — and embedded specially constructed content inside it. When GitHub's AI agent accessed that repository as part of its task, it read that content. The content contained instructions. The agent followed them. Private data moved somewhere it was never supposed to go.
The attack does not require the victim to do anything unusual. In a realistic scenario, a developer asks their AI agent to review a pull request or analyze a dependency. The agent, doing its job, fetches that code. The code contains embedded instructions. The agent executes them.
This is why the security community has been watching agentic systems carefully. A traditional SQL injection attack requires the attacker to find an injection point in an application boundary. Indirect prompt injection works against a much larger surface — anything an agent reads is a potential injection point. And agents, by design, read a lot.
Why it matters now
There is a version of this threat model that is relatively low-stakes: a chatbot with no tools gets a malicious message and says something it shouldn't. Annoying, recoverable.
Enterprise agents in 2026 are a different thing entirely.
The agents being sold at RAISE 2026 have access to source code repositories, internal documentation, customer data, ticketing systems, deployment pipelines, and email. They are granted these permissions deliberately — the point is for them to be useful, and usefulness requires access. An agent that can only read publicly available information is not very interesting to an enterprise.
But access that makes an agent useful also makes a successful injection attack more valuable. The attacker's goal is not just to make the agent say something unexpected. The goal is to get the agent to do something: exfiltrate code, copy credentials, create backdoor access, approve fraudulent transactions, or silently modify a pull request before it gets merged. All of these become plausible if the agent has the permissions to perform them and the attacker can inject instructions via content the agent reads.
The enterprise tier is not more exposed because it has worse security practices. It is more exposed because the agents there have higher privileges and more integrations. A customer-facing chatbot with no tools is a small target. A software delivery agent with write access to your production repositories is an extremely attractive one.
The GitLost research also highlights a quieter risk: the attack surface is partly in content you do not control. Public repositories, open issue trackers, external documentation pages, and third-party APIs are all potential injection vectors if your agent reads them. You can audit your own systems. You cannot audit every piece of content your agent might encounter.
What is overhyped
Let me be precise about what the Noma research does and does not show.
It does not show that all AI agents are fundamentally broken. Good agent design has always required thinking carefully about what content an agent reads and what authority it has to act. Systems built with least-privilege principles — agents that are only granted the minimum permissions needed for the specific task — are much harder to exploit even when an injection succeeds. If the injected instruction says "email everything to this address" and the agent does not have email permissions, the attack stops there.
The research also does not show that GitHub's platform is insecure in the traditional sense. Prompt injection is an application-layer design challenge, not a platform vulnerability. GitHub disclosed the issue. Platform vendors are actively working on mitigations. This is the normal lifecycle of a new attack class meeting a new technology category.
The overhyped version of this story is "AI agents are dangerous and should be stopped." The more accurate version is: agents expand the attack surface in ways that require new security thinking, and most enterprise deployments today have not caught up to what that means in practice.
What to watch
Three concrete directions, in the order I think they'll become clear.
Authorization and least-privilege models for agents. Right now, agent permissions are often specified broadly — "this agent has access to your GitHub organization." The direction the industry needs to move is toward task-scoped, time-limited, auditable permission grants: "this agent is allowed to read these three repositories for the next thirty minutes, nothing else." Anthropic has published early thinking on this under the label of agentic authorization frameworks; expect this to be the major security design problem of the next two years in enterprise AI.
Sandboxing and process isolation. One mitigation for injection attacks is ensuring that even if an agent's reasoning is hijacked, the actions it can take are constrained by something other than its own judgment. Sandboxed execution environments — where tools run in isolated subprocesses with limited system access — are being developed in parallel with the agents themselves. The practical question is how much isolation you can achieve without killing the productivity that made the agent worth deploying in the first place.
The agentic security tooling category. Noma Security, the firm behind the GitLost research, is building in this space. So are others. Watch for a new category of runtime monitoring tools for AI agents — systems that watch what an agent is reading and doing in real time, flag anomalous instruction patterns, and can interrupt an agent mid-task when its behavior looks like it has been compromised. This is genuinely novel territory. Intrusion detection was built for humans writing code; the equivalent for AI agents following injected instructions is still being designed.
The RAISE 2026 summit will produce a lot of quotes about the transformative potential of agentic AI. Almost all of them will be accurate. The harder conversation — about what security discipline looks like at the speed agents are being deployed — tends to happen later, after the incident reports come in.
The GitLost paper did not wait for later. Read it.
Sources: Noma Security — GitLost · Hacker News discussion · OWASP Top 10 for LLM Applications · Anthropic — Building Effective Agents
Below the Ice publishes every evening at 7 PM MTY — one topic, told properly. Find the audio episode and all our shows at penguinalley.com.