'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows
The flaw allows an unauthenticated attacker to craft a GitHub Issue in an org's public repository and then silently pull data from its private repos, too.
Data leaks can expose passwords, personal records, and business secrets, enabling identity theft, fraud, extortion, and follow-on cyberattacks.
Search across headline titles and summaries.
Background for this topic.
Leak is the unauthorized disclosure or exposure of information to people or systems not meant to receive it. It may be deliberate or accidental and can involve personal data, credentials, API keys, source code, trade secrets, or internal documents. A leak can result from theft and publication, an employee sending data to the wrong recipient, or an exposed cloud storage bucket, database, log, repository, or backup. The term describes the exposure, not necessarily how attackers obtained it; reporting may refer to both confirmed disclosure and suspected exposure.
Security teams should establish what data was accessible, to whom, and for how long, while distinguishing evidence of access from mere exposure. Exposed passwords, tokens, and keys should be revoked or rotated quickly, and affected systems checked for reuse or further access. Personal or regulated data may trigger privacy and reporting obligations, while leaked proprietary material can require legal and threat-intelligence monitoring. Prevention includes least-privilege access, secret scanning, safe sharing controls, encryption where appropriate, and monitoring for misconfigured public resources.
Weekly headline count for the current query.
The flaw allows an unauthenticated attacker to craft a GitHub Issue in an org's public repository and then silently pull data from its private repos, too.
More victims have emerged after attackers breached application vendor Klue and used its OAuth tokens to steal customers' Salesforce data.
A leaked GitHub token underscores what most organizations get wrong: Treating secrets management as a tooling problem rather than an identity problem.
A purported leak exposing 5.8 million records of Uruguayan citizens is the latest incident where cybercriminals targeted government agencies to monetize citizen data.
An OPSEC failure provides a window into what helped the ransomware group rise: a generous affiliate model, opportunistic TTPs, and an effective organizational structure.
Chris Inglis was the head civilian in charge at the NSA when the Snowden leaks exploded. He gets candid about mistakes the organization made, and what CISOs need to know about spotting potential threats, media disclosures, and "enculturation."
When 0APT and KryBit attacked each other, they exposed infrastructure and operational data, giving defenders rare insight into ransomware operations.
Strangers can infer limited info about you without knowing or messaging you, which could theoretically aid certain kinds of malicious activity.
Two recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot would have enabled an external attacker to leak sensitive data.
By hiding malicious instructions on an attacker-controlled Web page, AI could ingest orders that appear benign but return sensitive data to the attacker's server.
Or, why the software supply chain should be treated as critical infrastructure with guardrails built in at every layer.
Nation-state malware is being sold on the Dark Web and leaked to GitHub; and ordinary organizations might not stand much of a chance of defending themselves.
Like many other features and systems in modern cars, tire pressure sensors leak sensitive data that can be abused by threat actors.
A Chinese keyboard warrior inadvertently leaked information about politically motivated influence operations through a ChatGPT account.
Microsoft Copilot recently summarized and leaked user emails; but any AI agent will go above and beyond to complete assigned tasks, even breaking through their carefully designed guardrails.
A hacktivist group claims a 2.3-terabyte data breach exposes the information of 36 million Mexicans, but no sensitive accounts are at risk, says government.
The region is up against tactics like data-leak extortion, credential-stealing campaigns, edge-device exploitation, and attackers leveraging AI.
A total of 91,403 sessions targeted public LLM endpoints to find leaks in organizations' use of AI and map an expanding attack surface.
A memory leak security vulnerability allows unauthenticated attackers to extract passwords and tokens from MongoDB servers.
Microsoft puts the power of AI in the hands of everyday non-technical Joes. It's a nice idea, and a surefire recipe for security issues.