Copilot prompt-injection flaw

GitHub Copilot Chat could be tricked into leaking private code and secrets from a developer’s own repositories through hidden text in pull requests. (legitsecurity.com) Copilot Chat works by reading repository context — code, commits, pull requests and issues — and answering questions with the same access as the signed-in user. Legit Security researcher Omer Mayraz said that design let a malicious prompt ride along inside content Copilot was already reading. (legitsecurity.com) The buried instructions were placed in GitHub’s hidden Markdown comments, which do not show up in the normal page view but were still parsed by Copilot Chat. Mayraz said another user could open that pull request, ask Copilot to explain it, and trigger the injected instructions without installing malware or browser extensions. (securityweek.com) To move data out, the proof of concept used images as a covert channel, like spelling a secret one pixel at a time. The researcher pre-generated GitHub Camo image-proxy URLs for letters and symbols, then had Copilot render those tiny images in sequence so an attacker could reconstruct the stolen text from the requests. (theregister.com) Mayraz said he found the flaw in June 2025, reported it through HackerOne, and GitHub disabled image rendering in Copilot Chat on August 14, 2025 to block that exfiltration path. Legit Security scored the issue at 9.6 on the Common Vulnerability Scoring System, a severity scale used in security disclosures. (legitsecurity.com) The examples in the disclosure included Amazon Web Services keys, security tokens and text from a private issue describing an undisclosed software flaw. The same prompt-injection path could also steer Copilot into suggesting a malicious package or link inside its answer, according to the researcher. (theregister.com) GitHub had already been warning developers that prompt injection is a real risk for coding assistants and that sandboxed environments such as GitHub Codespaces or local Docker containers add protection. That guidance treats untrusted text for an artificial intelligence model the way engineers treat untrusted code: something that can change behavior if it is given too much reach. (github.blog) The Copilot case turned that warning into a concrete supply-chain problem inside routine review work, because the attack traveled through a pull request and used the victim’s own permissions. GitHub’s fix closed the image route, but the disclosure left a broader point for developer tools: assistants that read everything a user can read also inherit the blast radius of that access. (thearabianpost.com)