GitHub Copilot Chat Vulnerability Enabling Data Exfiltration via Image Proxy Abuse
A critical vulnerability was discovered in GitHub Copilot Chat that could have allowed attackers to exfiltrate private source code and sensitive secrets from repositories by exploiting the platform’s AI assistant and image proxying service. The flaw, identified by Legit Security researcher Omer Mayraz, involved a sophisticated attack chain that combined remote prompt injection with a bypass of GitHub’s content security policy. Attackers could embed hidden prompts within pull request comments or other repository content, which Copilot Chat would process without proper isolation or validation. This allowed the attacker to manipulate Copilot’s responses and assemble signed image links that leveraged GitHub’s Camo image proxy service to transmit stolen data outside the platform. The exploit, dubbed "CamoLeak," demonstrated that even advanced AI-powered developer tools can be manipulated to leak confidential information, including passwords and private keys, with minimal user awareness. The proof-of-concept attack showed that the exfiltration channel was subtle enough to evade detection by both users and GitHub’s monitoring systems. GitHub Copilot Chat’s context awareness, which enables it to read repository files, pull requests, and other workspace artifacts, was a key factor in the attack’s success, as it provided the AI assistant with access to sensitive data that could be extracted through manipulated prompts. Upon responsible disclosure via HackerOne, GitHub responded by disabling image rendering in Copilot Chat and patching the vulnerability as of August 14. The incident highlights the growing risks associated with integrating AI agents into software development workflows, especially when such agents have broad access to sensitive project data. Security experts noted that while the attack was limited in the amount of data it could exfiltrate at once, the potential impact was significant due to the nature of the information at risk. The case underscores the importance of rigorous security validation for AI-driven features and the need for continuous monitoring of new attack vectors as AI adoption accelerates in development environments. GitHub’s swift response and remediation efforts were commended, but the event serves as a cautionary tale for organizations relying on AI-powered coding assistants. The vulnerability also illustrates the creative lengths attackers may go to bypass security controls, turning legitimate platform features like image proxies into covert data exfiltration channels. The research community continues to scrutinize AI integrations for similar weaknesses, emphasizing the need for secure-by-design principles in next-generation developer tools. Organizations are advised to review their use of AI assistants, ensure prompt application of security updates, and educate developers about the risks of prompt injection and related attacks. The incident has prompted broader discussions about the balance between AI functionality and security, especially as more platforms embed intelligent agents into core workflows. Ultimately, the GitHub Copilot Chat vulnerability demonstrates both the promise and peril of AI in software development, reinforcing the need for vigilance and proactive defense measures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Further coverage highlights exposure of private repository information
Additional reporting emphasized that the vulnerability exposed information from private repositories through GitHub Copilot Chat, reinforcing the scope of the data-leak risk. This represented continued public dissemination of the same underlying vulnerability details rather than a separate incident.
Media reports detail private code leakage risk in GitHub Copilot Chat
Multiple security news outlets reported that the GitHub Copilot Chat flaw could leak sensitive information and private source code from repositories, including through image-based prompt injection techniques. These reports amplified the disclosure and described the potential impact to users of the tool.
Legit Security discloses the 'CamoLeak' GitHub Copilot flaw
Legit Security publicly disclosed a critical prompt-injection vulnerability dubbed 'CamoLeak' affecting GitHub Copilot Chat that could expose sensitive data from private repositories via malicious image-based inputs. The disclosure established the core technical issue later covered by multiple outlets.
GitHub patches CamoLeak by disabling image rendering in Copilot Chat
GitHub remediated the CamoLeak vulnerability in August 2025 by disabling image rendering in Copilot Chat. The change blocked the image-based exfiltration path that abused GitHub's Camo proxy to leak sensitive data from private repositories.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data
cybersecuritynews.com
Open sourcePrivate repository info exposed by GitHub Copilot Chat vulnerability
scworld.com
Open sourceGitHub Copilot 'CamoLeak' AI Attack Exfiltrates Data
darkreading.com
Open sourceGitHub Copilot Chat Flaw Let Private Code Leak Via Images
govinfosecurity.com
Open sourceGitHub Copilot Chat Flaw Let Private Code Leak Via Images
bankinfosecurity.com
Open sourceGitHub Copilot prompt injection flaw leaked sensitive data from private repos
csoonline.com
Open sourceCamoLeak: Critical GitHub Copilot Vulnerability Leaks Private Source Code
legitsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RoguePilot Prompt-Injection Flaw in GitHub Codespaces Allowed Copilot to Leak `GITHUB_TOKEN`
Microsoft patched an AI-mediated vulnerability in **GitHub Codespaces** dubbed **RoguePilot** (reported by Orca Security) that could let an attacker seize control of repositories by embedding hidden instructions in a GitHub issue. When a developer launched a Codespace from a malicious issue, the issue text could be automatically ingested by the built-in **GitHub Copilot** agent, enabling *passive/indirect prompt injection* that coerced the agent into executing attacker-directed actions and leaking sensitive credentials—most notably a privileged `GITHUB_TOKEN`—potentially enabling repository takeover and downstream supply-chain impact. The disclosure reinforces a broader risk pattern where **developer tools and AI agents** become high-trust entry points for supply-chain compromise, as highlighted by commentary describing how dev-platform footholds can cascade into cloud and SaaS environments via token theft and trusted integrations. Separate reporting also notes increasing attacker speed and AI-enabled tradecraft, but those items are not specific to RoguePilot; the core actionable takeaway is that AI agents embedded in developer workflows can be manipulated through untrusted content (e.g., issues/PRs) unless strong isolation, least-privilege token scoping, and explicit user confirmation/guardrails prevent autonomous execution and secret exfiltration.
Mar 21, 2026
Prompt Injection and Trojanized PyPI Package Exposed Secrets in AI Coding Tools
Researchers from Johns Hopkins University showed that a **"comment-and-control"** prompt injection technique could hijack AI coding agents embedded in GitHub workflows, including Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent. By planting malicious instructions in untrusted GitHub content such as pull request titles, issue text, comments, and hidden HTML, the attackers made the agents follow attacker-controlled directions and exfiltrate secrets through workflow output or GitHub comments. The demonstrations reportedly exposed Anthropic and Gemini API keys, GitHub tokens, and other credentials available in GitHub Actions runners, and the affected vendors paid bug bounties and patched the issue without issuing CVEs or public advisories. Separate research also identified a trojanized PyPI package, **`hermes-px`**, marketed as a privacy-focused AI proxy but designed to steal user prompts and exfiltrate data, including an altered Claude Code system prompt. Together, the findings show that the most immediate risk around AI developer tooling is not only the model itself but the runtime and integration layer, where untrusted repository content, overprivileged CI/CD workflows, and malicious third-party packages can turn coding assistants into secret-leaking supply-chain footholds. Defenders were urged to minimize agent permissions, restrict secret exposure, rotate credentials, prefer short-lived OIDC tokens, and harden GitHub Actions configurations such as `pull_request_target` usage.
Jun 1, 2026
GitHub Copilot for JetBrains Remote Code Execution Vulnerability
A critical vulnerability, tracked as CVE-2025-64671, was identified in GitHub Copilot for JetBrains, allowing improper neutralization of special elements used in a command, leading to potential command injection and local code execution. The flaw enables an unauthorized attacker to execute arbitrary code on the affected system, with a CVSS 3.1 base score of 8.4, indicating high severity. The vulnerability is not remotely exploitable but can be triggered locally, either through direct access or by tricking a user into executing malicious commands. Security advisories from both cvefeed.io and Microsoft confirm the technical details, highlighting that the vulnerability stems from improper handling of command input within the Copilot integration for JetBrains IDEs. No specific affected product versions have been listed yet, but the issue is confirmed and assigned by Microsoft. Organizations using GitHub Copilot for JetBrains are advised to monitor for updates and apply patches as soon as they become available to mitigate the risk of local code execution attacks.
Mar 21, 2026