Post

RoguePilot - Exploiting GitHub Copilot for a Repository Takeover

Posted
By ictsec.pl
1 min read
RoguePilot - Exploiting GitHub Copilot for a Repository Takeover

RoguePilot - Exploiting GitHub Copilot for a Repository Takeover

The Orca Research Pod discovered an AI-driven vulnerability in GitHub Codespaces that enabled a full repository takeover via passive prompt injection. Attackers can craft hidden instructions inside a GitHub Issue that are automatically processed by GitHub Copilot, giving them silent control of the in-Codespaces AI agent. This demonstrates a new class of AI-mediated supply chain attacks, where LLMs automatically execute malicious instructions embedded in developer content. Orca responsibly disclosed the vulnerability to GitHub, who responded promptly and worked throughout the remediation process.

What is Passive Prompt Injection? 🤔

This vulnerability is a type of Passive Prompt Injection, where malicious instructions are embedded in data, content, or environments that the model later processes automatically, without any direct interaction from the attacker. When a Codespace is launched from an issue, the in-environment Copilot AI assistant is immediately prompted with the issue’s description. GitHub supports hidden content through HTML comments <!-- -->, enabling attackers to embed invisible instructions that Copilot will process.

The Attack Chain 🔗

The attack allows for the exfiltration of a privileged GITHUB_TOKEN. In GitHub Codespaces, this token is an automatically generated authentication token, usually scoped to the repository with read and write access, and can be found in /workspaces/.codespaces/shared/user-secrets-envs.json. GitHub preserves symbolic links in repositories, which can inadvertently expose sensitive data. Additionally, the json.schemaDownload.enable setting in Visual Studio Code, enabled by default in Codespaces, allows the editor to fetch JSON schemas from the web. Attackers can exploit this by appending data they want to exfiltrate directly to the schema URL with embedded GET parameters.

Conclusion 🚨

Prompt injection must be a first-class security concern for any LLM-enabled developer tooling. Vendors should assume adversarial inputs and adopt fail-safe defaults: treat repo/issue/PR text as untrusted, refrain from passively prompting AI agents, disable or heavily constrain automatic schema fetching, never follow symlinks outside the scoped workspace, and scope and shorten token lifetimes.

To read the complete article see: Read full article

CYBERSECURITY
GITHUB COPILOT VULNERABILITY AI SECURITY
This post is licensed under CC BY 4.0 by the author.