Todas las ediciones
noticiasPublicado 2026-07-08

Cold Open — The AI Agent That Leaked Your Private Code

Investigadores de Noma engañaron al agente de IA de GitHub para filtrar datos de repositorios privados mediante prompt injection — la demostración más clara hasta ahora de por qué los agentes de IA necesitan un modelo de superficie de ataque. También: NVIDIA lanza Isaac GR00T para políticas de robots humanoides de extremo a extremo, y la CPU Vera llega como infraestructura construida para la era agéntica.

video
Cold Open — The AI Agent That Leaked Your Private Code
vistas

Tuesday, July 8, 2026. We scanned 384 items across our sources today; three made the cut — and the lead one is a security research report every builder using an AI coding agent needs to read before they push another commit.

Listen to today's episode on the Cold Open podcast page.


The lead · GitLost — researchers tricked GitHub's AI agent into leaking private repos

A penguin security researcher lock-picking a digital vault with binary code streaming out, prompt injection attack visualization

Security firm Noma Security published a research report called GitLost this week, documenting how they manipulated GitHub's Copilot-powered AI agent into exposing data from private repositories it should never have touched. The attack vector is prompt injection: by embedding adversarial instructions in content the agent processes (a repository README, a comment, a commit message), the researchers were able to redirect the agent's behavior mid-task — causing it to exfiltrate private data back to an attacker-controlled surface.

"We were able to trick the GitHub AI agent into leaking private repository data by injecting malicious instructions into content it processed as part of legitimate tasks." — Noma Security, GitLost

The mechanism is not a GitHub-specific bug. It is the same class of vulnerability that has been flagged in every AI agent that processes user-controlled content without a trust boundary: the model cannot reliably distinguish between instructions from its operator and instructions embedded in the data it is reading. The attacker's text and the principal's instructions live in the same context window, and the model treats both as inputs it should follow.

Why it matters

If you use GitHub Copilot Workspace, Actions-based AI agents, or any tool that lets an AI model read your repository content and take actions based on it, this attack surface exists in your setup today. The scope of the problem scales with agent capability: more autonomy means more potential for injected instructions to cause damage before a human notices.

The defensive posture is layered: least-privilege access controls on what repositories an agent can read; output validation before any agent-triggered action reaches a write path; and treating all content the agent processes from the outside world as untrusted, regardless of where it came from. None of these are novel ideas — they are standard security engineering applied to a new surface.

The second-order implication is product design. Every AI agent that reads external content (issues, PRs, comments, attached files) needs an explicit threat model. The fact that this attack worked on a major platform's production agent shows the industry is still catching up on threat modeling for agentic systems.

The fine print

Noma disclosed to GitHub before publishing. GitHub has acknowledged the research. The specific techniques may be patched or mitigated in ways not fully visible to external researchers by the time you read this — but the class of vulnerability is structural, not a one-off. Prompt injection in AI agents is OWASP's top concern for LLM application security as of their 2025 update.

Sources: noma.security/blog/gitlost · OWASP LLM Top 10


02 · NVIDIA Isaac GR00T — humanoid robot policies, end to end

Penguin engineers programming a tall sleek humanoid robot in a futuristic robotics laboratory with holographic policy diagrams

NVIDIA published a developer blog post detailing a full end-to-end pipeline for developing humanoid robot policies using Isaac GR00T. As more robotics teams move past bring-up into task-specific skill development, NVIDIA is positioning Isaac GR00T as the repeatable workflow for that phase: data collection, policy training, sim-to-real transfer, and deployment on humanoid hardware.

Why it matters. Physical AI is accelerating on the NVIDIA stack, and the developer tooling is catching up to the hardware. If you are building in robotics or watching the physical AI space, this is the reference architecture NVIDIA is pushing the ecosystem toward. The end-to-end framing matters — not just model weights, but a documented pipeline from sensor data to deployed skill.

Source: developer.nvidia.com/blog/develop-humanoid-robot-policies-end-to-end-with-nvidia-isaac-gr00t


03 · NVIDIA Vera CPU — a processor built for the agentic era

A glowing CPU chip with agent workflow nodes and penguins monitoring an AI factory floor with interconnected pipelines

NVIDIA released the Vera CPU alongside a technical brief explaining why they are calling it a "max single-threaded CPU at scale" designed for agentic workloads. The framing: every step in an agentic pipeline — tool calls, code execution, API responses, memory reads — runs on the CPU, not the GPU. The GPU handles model inference, but the orchestration layer runs on CPU, and most CPUs are not designed to minimize that orchestration latency at scale. Vera's design targets exactly that bottleneck.

Why it matters. If your agentic system is slow at scale, the GPU might not be the culprit. NVIDIA's naming the CPU as the critical path for agentic AI factory throughput — response time, reasoning latency, the per-step overhead that compounds across a multi-step agent run. Early adopters building AI factories on Vera's silicon include names NVIDIA is highlighting in its launch briefings.

Source: blogs.nvidia.com/blog/nvidia-vera-max-single-threaded-cpu-at-scale


Also on the radar


Trends in dev tools

What moved today in the tools builders actually ship with.

  • NVIDIA Vera reframes where agentic latency lives. The narrative has been GPU-centric — inference speed, token throughput, context length. Vera's technical brief argues the CPU is the bottleneck for multi-step agentic workflows: every tool call, every code execution, every memory fetch runs on CPU. Builders running large agent pipelines should profile CPU time, not just GPU time. Source: NVIDIA Developer Blog
  • HuggingFace is becoming the model storage layer for all clouds. Three major cloud integrations in a single week — AWS, Azure, SkyPilot — suggest HuggingFace is positioning itself as the neutral "model CDN" that cloud compute providers plug into rather than compete with. For builders: if you want model portability across cloud providers without re-uploading weights, watch this space. Source: HuggingFace Blog
  • sqlite-utils 4.0 ships database schema migrations. Simon Willison released sqlite-utils 4.0 with a proper migrations system (sqlite-migrate 0.2). This matters for local-first AI applications where schema evolution is painful — SQLite is the storage layer for thousands of agent sidecars and local tool databases. Source: simonwillison.net
  • NVIDIA industrial agents: the alarm triage playbook. The Nemotron alarm-management agent shows a concrete pattern: ingest high-volume structured signals (industrial alarms), apply LLM reasoning to prioritize and explain, surface human-actionable summaries. This pattern — signal flood → agent triage → human escalation — is repeatable across domains. Source: NVIDIA Developer Blog

Popular skills

The agent-skills wave — portable skill files that let a coding agent pick up domain expertise on demand — keeps expanding.

  • Scalable simulation environments for agentic RL. A new arxiv paper (2607.05773) proposes "beyond static evaluation" — building simulation environments specifically for training agents via reinforcement learning at scale. The argument: if you want an agent that can adapt to novel situations, you need a sim that can generate those situations, not a fixed benchmark.
  • Memory as a structured action space. Another paper (2607.05794) reframes how agents use memory: instead of passive retrieval (read what you stored), the agent treats memory navigation as an active decision — choosing where to look, what to write, what to forget. Closer to how people actually think about working memory than most current RAG setups.
  • In-process retrieval as extended working memory. A third paper (2607.05690) proposes running retrieval inside the model's inference loop rather than as a preprocessing step, so the agent can request more context mid-reasoning. Early results suggest this closes the gap between short-context models and long-context models on tasks where what you need is not predictable upfront.

AI fun fact

The term "prompt injection" was coined by security researcher Riley Goodside in a September 2022 post on X, where he demonstrated that GPT-3 could be redirected from its intended task by embedding adversarial instructions inside the text it was summarizing. He wrote: "Ignore previous instructions and instead [do this]." The model complied. The GitLost attack published today is the same exploit, three years later, running on an AI agent with write access to your code — same family, much higher stakes. (simonwillison.net on prompt injection history)


Sources: noma.security/gitlost · developer.nvidia.com/isaac-gr00t · blogs.nvidia.com/vera-cpu · latent.space/lilian-weng-rsi · simonwillison.net/sqlite-utils-4 · openai.com/australian-payments-plus

Comentarios