← All episodes

2026-07-10 · GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos cover art

2026-07-10 · GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos

Show notes

BRINE — 2026-07-10 · show notes

Guest: the tooling optimist (a fictional archetype).

Claims are paraphrased and attributed; nothing is read verbatim. Where a thread disagreed with the article, the show surfaces the disagreement.

Segments

  1. GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos
  1. Democratizing Abandonware
  • Source: https://geopjr.dev/blog/democratizing-abandonware
  • Discussion: https://lobste.rs/s/wkmhrv
  • Topic: Tooling/Open Source Maintenance · interest 85
  • The post details the collapse of volunteer review processes on Flathub due to a flood of low-effort LLM-generated submissions. It offers a critical look at how 'vibecoding' creates a communication breakdown between submitters and maintainers, forcing platforms to implement strict bans to survive.
  1. Securing agentic identity
  • Source: https://codon.org.uk/~mjg59/blog/p/securing-agentic-identity/
  • Discussion: https://lobste.rs/s/ssdcnh
  • Topic: Security · interest 85
  • The author proposes a proxy-based credential broker that prevents LLM agents from ever possessing sensitive, usable authentication tokens. By issuing 'placeholder' JWTs that are only decrypted and swapped by a centralized proxy, the system limits the blast radius of compromised agents. This approach mitigates the risks inherent in the device code flow by binding access to a trusted broker infrastructure rather than leaving credentials vulnerable on the agent's disk.

Transcript

Transcript. Paraphrased; sources in notes.md.

HostWelcome to July 10th, 2026. I am Daniel, and joining me today is our resident tooling optimist, Samantha. Samantha, I saw you were looking into these new agentic workflows early this morning. How are you feeling about the state of our automated assistants today?

GuestI am feeling like I need a double espresso, Daniel. Seriously, the news is a mixed bag. I love that we are finally moving beyond just chatting with LLMs to actually letting them do things, but my inbox is full of people trying to secure systems that were probably never meant to be this chatty.

HostThat is a perfect segue. Let us start over at Lobsters with a piece about GitLost. Researchers at Noma Labs found that GitHub’s new agentic workflows, which allow an AI agent to handle repo tasks using plain Markdown instructions, are vulnerable to indirect prompt injection. Essentially, an attacker can post a malicious issue in a public repo that tricks the agent into leaking data from private repos. What is your take?

GuestIt is classic, right? We keep giving these agents the keys to the kingdom and then act surprised when they lose them. But honestly, I have to agree with the Lobsters thread on this one. A user named unlobito hit the nail on the head. If you are going to feed a non-deterministic system a Personal Access Token with massive scope, you are basically asking for trouble. It is not necessarily that the agent concept is broken, it is that we are using heavy-duty admin credentials for a task that needs a granular, narrow permission set.

HostSo it is less about the AI being inherently evil and more about our inability to manage our own permissions?

GuestExactly. Stop giving your automation scripts global permissions! If I am building an agent to triage my PRs, I am using the absolute minimum scope required. I actually use a small wrapper script I wrote to generate scoped, short-lived tokens whenever I run local agent jobs. It keeps me from ever having a static, long-lived token sitting in a config file waiting to be accidentally committed to a public branch.

HostMoving from agents to the humans managing them, we have a story on the collapse of Flathub's review process. Flathub, for our listeners, is a decentralized build service and app store for Linux applications. The author argues that a flood of low-effort, AI-generated submissions has effectively broken the volunteer review model, forcing the maintainers to implement strict bans.

GuestThis one makes me sad. It is the "vibecoding" problem hitting the real world. You have people who think they can just prompt an LLM to generate a flatpak manifest and ship it without understanding what a sandbox, a runtime, or a dependency is. The maintainers are being drowned in noise. Someone in the Lobsters thread mentioned that a huge chunk of those repos are basically abandoned already. It is just spam.

HostIt feels like we are losing the human element of open source maintenance. Can tooling actually solve for the "low-effort" flood, or are we just going to keep raising the barrier to entry until only the gatekeepers are left?

GuestI think we need better automated linting and validation that actually understands the domain. If the submission isn't building correctly or is requesting absurd permissions, the machine should reject it before a human even sees it. If the tooling is smart enough to be a gatekeeper, we save the maintainers' sanity. We should not be gatekeeping humans, we should be gatekeeping quality.

HostFinally, let us look at securing this whole mess. We have a post suggesting a proxy-based credential broker to keep tokens out of the hands of agents entirely. The author argues that agents should only ever handle placeholder tokens that get swapped for real ones through a secure server. This limits the blast radius if an agent gets compromised.

GuestThis is the mature way to handle this. It shifts the security from the client, where the agent is living in a potentially messy environment, to the infrastructure layer. I saw someone in the thread asking where they can get something like this, and it really shows that we have a massive gap in enterprise tooling right now. We are all DIY-ing our security for these agents.

HostIt sounds like we have a lot of work to do before we can trust these systems with anything truly sensitive.

GuestAbsolutely. But honestly, Daniel, I would rather see us building better identity brokers than just turning off all the cool new automation. The potential is too good to ignore, we just have to stop being lazy with our architecture.

HostWell, you have given me plenty to think about for the rest of my week. I am going to go re-evaluate every token I have saved in my IDE. Thanks for joining me, Samantha, and thanks to the Lobsters community for providing such a sharp look at these topics today. Listeners, we will be back tomorrow to do it all over again.