A critical AI-driven vulnerability in GitHub Codespaces, dubbed RoguePilot, that enabled attackers to silently hijack a repository by embedding malicious instructions inside a GitHub Issue.<\/p>\n
The flaw, uncovered by researchers at the Orca Research Pod, exploits the seamless integration between GitHub Issues and the in-Codespaces Copilot AI agent, requiring no direct interaction from the attacker to trigger a full repository takeover.<\/p>\n
The vulnerability was responsibly disclosed to GitHub, and Microsoft has since patched it following coordinated remediation efforts with the Orca team.<\/p>\n
How the GitHub Copilot Attack Works<\/strong><\/h2>\nRoguePilot is classified as a Passive Prompt Injection, a variant where malicious instructions are embedded inside data, content, or developer environments that a language model processes automatically.<\/p>\n
Unlike traditional prompt injection<\/a> requiring a victim to directly interact with the AI, this attack is triggered the moment a developer opens a Codespace from a poisoned GitHub Issue. When a Codespace is launched from an issue context, GitHub Copilot is automatically fed the issue\u2019s description as an initial prompt, creating a direct injection pathway from untrusted user-controlled content into the AI agent\u2019s execution context.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgO8Db2rXNnuyw-iTbHWuFpjVQEu8Dw56BFMiu-DjsJ54wL3Nf7J_luLwjNRT-Y_yID31YMrA050H4q6shxwEyQD-06thCwuZCcZ11oWzJCeyk_EWazAtkzR8mOkVSiX6UdyUYUttGQaNylhldpXTOrEsMh2WcoCg8z4FVqviApWK6KuE9gc_KZwTRwqxEL\/s16000\/Attack%2520model.webp?ssl=1\")
Attack Chain<\/figcaption><\/figure>\nResearcher Roi Nisimi of Orca Security demonstrated the exploit chain by embedding hidden instructions inside a GitHub Issue using HTML comment tags (<!-- --><\/code>), a standard GitHub feature that renders content invisible to human readers but remains fully legible to Copilot when it processes the issue description.<\/p>\nOnce the Codespace was opened, Copilot silently complied with the injected instructions without generating any visible alert to the developer.<\/p>\n
The attack then proceeds through a three-stage exfiltration chain. First, the injected prompt instructs Copilot to execute gh pr checkout 2<\/code> via its run_in_terminal<\/code> tool, pulling in a pre-crafted pull request that contains a symbolic link named 1.json<\/code> pointing to \/workspaces\/.codespaces\/shared\/user-secrets-envs.json<\/code> \u2014 the file housing the environment\u2019s GITHUB_TOKEN<\/code>.<\/p>\nSince Copilot\u2019s guardrails do not follow symbolic links, the agent reads the secrets file through the link using its file_read<\/code> tool without triggering workspace boundary restrictions.<\/p>\nFinally, Copilot is instructed to create a new JSON file, issue.json<\/code>, with a $schema<\/code> property pointing to an attacker-controlled server exploiting VS Code\u2019s default json.schemaDownload.enable<\/code> setting, which automatically fetches remote JSON schemas via HTTP GET.<\/p>\nThe attacker appends the stolen GITHUB_TOKEN<\/code> as a URL parameter in this schema request, resulting in silent out-of-band exfiltration of the privileged authentication token. With a valid GITHUB_TOKEN<\/code> scope to the repository, the attacker obtains full read and write access \u2014 completing a stealthy repository takeover.<\/p>\nOrca Security describes RoguePilot as a new class of AI-mediated supply chain attack, where an LLM\u2019s agentic capabilities, terminal access, file read\/write, and network-connected tooling are weaponized against the very developer the AI is meant to assist.<\/p>\n
The vulnerability demonstrates that Copilot<\/a>, operating as an autonomous coding agent within Codespaces, cannot reliably distinguish between a developer\u2019s legitimate instruction and adversarial content embedded in a GitHub Issue or pull request.<\/p>\nThe attack required no special privileges, no code execution by the victim, and no social engineering beyond creating a malicious GitHub Issue placing it firmly within the reach of low-sophistication threat actors.<\/p>\n
Security experts note that this is a direct consequence of granting AI agents \u201cGod Mode\u201d permissions, tools, terminal access, and privileged tokens while the underlying model continues to operate on open-book logic that treats all processed text as potentially trustworthy.<\/p>\n
Orca\u2019s disclosure recommends that<\/a> vendors adopt fail-safe defaults across all LLM-integrated developer tooling: treat repository, issue, and pull request content as untrusted input; disable passive AI agent prompting from external data sources; set json.schemaDownload.enable<\/code> to false<\/code> by default; enforce strict symlink sandboxing within workspace boundaries; and enforce minimal-scope, short-lived token issuance for Codespaces environments.<\/p>\nFollow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\nThe post GitHub Copilot Exploited to Perform Full Repository Takeover via Passive Prompt Injection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
Researcher Roi Nisimi of Orca Security demonstrated the exploit chain by embedding hidden instructions inside a GitHub Issue using HTML comment tags ( Once the Codespace was opened, Copilot silently complied with the injected instructions without generating any visible alert to the developer.<\/p>\n The attack then proceeds through a three-stage exfiltration chain. First, the injected prompt instructs Copilot to execute Since Copilot\u2019s guardrails do not follow symbolic links, the agent reads the secrets file through the link using its Finally, Copilot is instructed to create a new JSON file, The attacker appends the stolen Orca Security describes RoguePilot as a new class of AI-mediated supply chain attack, where an LLM\u2019s agentic capabilities, terminal access, file read\/write, and network-connected tooling are weaponized against the very developer the AI is meant to assist.<\/p>\n The vulnerability demonstrates that Copilot<\/a>, operating as an autonomous coding agent within Codespaces, cannot reliably distinguish between a developer\u2019s legitimate instruction and adversarial content embedded in a GitHub Issue or pull request.<\/p>\n The attack required no special privileges, no code execution by the victim, and no social engineering beyond creating a malicious GitHub Issue placing it firmly within the reach of low-sophistication threat actors.<\/p>\n Security experts note that this is a direct consequence of granting AI agents \u201cGod Mode\u201d permissions, tools, terminal access, and privileged tokens while the underlying model continues to operate on open-book logic that treats all processed text as potentially trustworthy.<\/p>\n Orca\u2019s disclosure recommends that<\/a> vendors adopt fail-safe defaults across all LLM-integrated developer tooling: treat repository, issue, and pull request content as untrusted input; disable passive AI agent prompting from external data sources; set Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post GitHub Copilot Exploited to Perform Full Repository Takeover via Passive Prompt Injection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n<!-- --><\/code>), a standard GitHub feature that renders content invisible to human readers but remains fully legible to Copilot when it processes the issue description.<\/p>\ngh pr checkout 2<\/code> via its run_in_terminal<\/code> tool, pulling in a pre-crafted pull request that contains a symbolic link named 1.json<\/code> pointing to \/workspaces\/.codespaces\/shared\/user-secrets-envs.json<\/code> \u2014 the file housing the environment\u2019s GITHUB_TOKEN<\/code>.<\/p>\nfile_read<\/code> tool without triggering workspace boundary restrictions.<\/p>\nissue.json<\/code>, with a $schema<\/code> property pointing to an attacker-controlled server exploiting VS Code\u2019s default json.schemaDownload.enable<\/code> setting, which automatically fetches remote JSON schemas via HTTP GET.<\/p>\nGITHUB_TOKEN<\/code> as a URL parameter in this schema request, resulting in silent out-of-band exfiltration of the privileged authentication token. With a valid GITHUB_TOKEN<\/code> scope to the repository, the attacker obtains full read and write access \u2014 completing a stealthy repository takeover.<\/p>\njson.schemaDownload.enable<\/code> to false<\/code> by default; enforce strict symlink sandboxing within workspace boundaries; and enforce minimal-scope, short-lived token issuance for Codespaces environments.<\/p>\n