Noma Labs researchers demonstrated the full attack: They created a seemingly normal issue simulating a customer request from a VP of Sales. After the issue was automatically assigned, the event triggered the workflow. The agent retrieved the README.md files from both a public repository (poc) and a private repository (testlocal) and posted their contents as a public comment on the issue, viewable by anyone.
The attack requires no coding skills, access rights, or credentials. The researchers provided reproducible evidence, including workflow run logs (actions/runs/23909666039) and the issue link (issues/153), which contained the leaked private data.