GitHub Copilot CLI Becomes Generally Available Amid Security Flaw
GitHub Copilot CLI is now generally available, bringing AI pair programming and code generation to the terminal. The launch is accompanied by a security advisory for a proof-of-concept exploit named "RoguePilot." The exploit demonstrates how session tokens can be stolen through crafted GitHub issues, prompting recommendations for stricter session and token hygiene.
- The "RoguePilot" exploit is a form of passive indirect prompt injection. An attacker could embed malicious instructions, hidden from human view using HTML comment tags, within a GitHub issue. When a developer launches a Codespace from that issue, GitHub Copilot automatically processes the issue's description, silently executing the hidden commands and potentially exfiltrating sensitive data like a privileged GITHUB_TOKEN. - The vulnerability was discovered by security researcher Roi Nisimi of Orca Security and has since been patched by Microsoft. It highlighted a new type of AI-mediated supply chain attack, where the AI agent itself is weaponized against the developer by processing untrusted, user-controlled content as if it were a legitimate instruction. - Beyond simple command suggestion, the generally available Copilot CLI functions as an autonomous coding agent. It features specialized agents for tasks like codebase analysis (`Explore`) and running builds (`Task`), and can operate in an "autopilot mode" to execute multi-step workflows without requiring approval for every action. - The move to bring powerful AI agents into the terminal reflects a broader industry trend where the Command Line Interface (CLI) is becoming a universal execution layer for AI. Instead of building custom integrations for each tool, AI agents can interact with any application that exposes a stable, text-based CLI, making them highly composable. - Copilot CLI offers several authentication methods, including an OAuth device flow for interactive use and support for tokens via environment variables for CI/CD pipelines. It can also use an existing token from the standard GitHub CLI (`gh`) as a fallback, but notably does not support classic Personal Access Tokens (PATs). - For enterprise use, administrators have policy controls to manage model availability and can enforce security measures through hooks. The `preToolUse` hook, for example, allows for the implementation of custom approval workflows or argument sanitization before a command is executed by the AI. - The general availability launch on February 25, 2026, builds upon a public preview that began on September 25, 2025, and incorporates user feedback to enhance the terminal experience. Features added since the preview include an "alt-screen mode" for a full-screen UI, session history that auto-compresses to avoid context window limits, and repository memory to learn a codebase's conventions over time.
