A vulnerability codenamed RoguePilot in GitHub Codespaces could allow attackers to seize control of repositories by injecting malicious Copilot instructions via a GitHub issue, enabling silent execution of commands and leakage of a privileged GITHUB_TOKEN. According to Orca Security, attackers can embed hidden prompts inside an issue that Copilot processes, creating a passive or indirect prompt injection that turns the AI into carrying out malicious actions.
The flaw is described as an AI-mediated supply chain attack where the prompt is embedded in developer content and triggered when a Codespace is opened from the issue, with Copilot fed the issue description as a prompt to generate responses. The attack can be stealthy by hiding the prompt in an HTML comment within the issue, directing Copilot to exfiltrate data to an external server under the attacker’s control.
Microsoft has patched the vulnerability following responsible disclosure, and the report notes multiple entry points for Codespaces, including templates, repositories, commits, pull requests, or issues.