RoguePilot Prompt-Injection Flaw in GitHub Codespaces Allowed Copilot to Leak `GITHUB_TOKEN`
Microsoft patched an AI-mediated vulnerability in GitHub Codespaces dubbed RoguePilot (reported by Orca Security) that could let an attacker seize control of repositories by embedding hidden instructions in a GitHub issue. When a developer launched a Codespace from a malicious issue, the issue text could be automatically ingested by the built-in GitHub Copilot agent, enabling passive/indirect prompt injection that coerced the agent into executing attacker-directed actions and leaking sensitive credentials—most notably a privileged GITHUB_TOKEN—potentially enabling repository takeover and downstream supply-chain impact.
The disclosure reinforces a broader risk pattern where developer tools and AI agents become high-trust entry points for supply-chain compromise, as highlighted by commentary describing how dev-platform footholds can cascade into cloud and SaaS environments via token theft and trusted integrations. Separate reporting also notes increasing attacker speed and AI-enabled tradecraft, but those items are not specific to RoguePilot; the core actionable takeaway is that AI agents embedded in developer workflows can be manipulated through untrusted content (e.g., issues/PRs) unless strong isolation, least-privilege token scoping, and explicit user confirmation/guardrails prevent autonomous execution and secret exfiltration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Microsoft patched the RoguePilot issue after disclosure
Microsoft remediated the GitHub Codespaces/Copilot issue following responsible disclosure, closing the prompt-injection path described by Orca Security.
Orca Security disclosed RoguePilot in GitHub Codespaces
Orca Security revealed the RoguePilot flaw, showing that hidden prompt-injection instructions in a GitHub issue could manipulate Copilot in Codespaces and expose sensitive data such as a privileged GITHUB_TOKEN.
Google tracked the Salesloft-linked actor as UNC6395
Google identified and tracked the threat actor behind the Salesloft-related activity as UNC6395, adding attribution to the campaign.
GlassWorm campaign identified via malicious Open VSX updates
On January 30, 2026, researchers identified the GlassWorm campaign, in which compromised Open VSX publishing credentials were used to push malicious VS Code extension updates that harvested secrets.
Drift OAuth tokens used to access 700+ Salesforce tenants
Using stolen Drift-related OAuth tokens, the attacker allegedly accessed data from more than 700 Salesforce customer tenants over roughly 10 days while blending in with normal integration traffic.
Attacker pivoted from Salesloft GitHub into AWS environment
After the initial GitHub compromise, the attacker reportedly moved into Salesloft's AWS environment and obtained OAuth tokens tied to the Drift chatbot integration.
Attacker allegedly compromised Salesloft's GitHub organization
In March 2025, an attacker allegedly breached Salesloft's GitHub organization, beginning a SaaS supply-chain intrusion chain later linked to downstream customer data access.
CircleCI disclosed a late-2022 compromise
CircleCI reported a compromise in late 2022, later cited as another major example of CI/CD and developer-environment supply-chain risk.
Codecov Bash Uploader supply-chain compromise disclosed
Attackers compromised Codecov's Bash Uploader in a software supply-chain incident that became a notable precedent for later developer-tool compromises.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection and Trojanized PyPI Package Exposed Secrets in AI Coding Tools
Researchers from Johns Hopkins University showed that a **"comment-and-control"** prompt injection technique could hijack AI coding agents embedded in GitHub workflows, including Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent. By planting malicious instructions in untrusted GitHub content such as pull request titles, issue text, comments, and hidden HTML, the attackers made the agents follow attacker-controlled directions and exfiltrate secrets through workflow output or GitHub comments. The demonstrations reportedly exposed Anthropic and Gemini API keys, GitHub tokens, and other credentials available in GitHub Actions runners, and the affected vendors paid bug bounties and patched the issue without issuing CVEs or public advisories. Separate research also identified a trojanized PyPI package, **`hermes-px`**, marketed as a privacy-focused AI proxy but designed to steal user prompts and exfiltrate data, including an altered Claude Code system prompt. Together, the findings show that the most immediate risk around AI developer tooling is not only the model itself but the runtime and integration layer, where untrusted repository content, overprivileged CI/CD workflows, and malicious third-party packages can turn coding assistants into secret-leaking supply-chain footholds. Defenders were urged to minimize agent permissions, restrict secret exposure, rotate credentials, prefer short-lived OIDC tokens, and harden GitHub Actions configurations such as `pull_request_target` usage.
Jun 1, 2026
AI Agent Prompt-Injection and Web-to-Agent Takeover Risks in Developer Tooling
Security research highlighted **web-to-agent takeover** and **prompt-injection** risks in modern AI developer tooling. Oasis Security reported a “complete vulnerability chain” in the open-source AI agent **OpenClaw** that allowed a malicious website a developer merely visited to silently seize control of the local agent—without plugins, browser extensions, or additional user interaction—leveraging the agent’s ability to execute system commands and manage workflows. The OpenClaw maintainers rated the issue **High** severity and issued a patch within 24 hours of disclosure. Separate research described **RoguePilot**, a scenario in which a *passive prompt injection* can abuse highly privileged AI assistance inside **GitHub Codespaces**. The write-up emphasizes that Codespaces environments commonly expose a repository-scoped `GITHUB_TOKEN` with write permissions and provide AI “tools” such as terminal execution and file operations (e.g., `run_in_terminal`, `file_read`, `create_file`), creating “God Mode” conditions where untrusted text can be interpreted as instructions and lead to repository compromise. A third item (a *Smashing Security* podcast episode) primarily covers unrelated stories (alleged CAPTCHA-based DDoS activity tied to an archiving service and other news) and does not materially contribute to the AI agent takeover/prompt-injection topic.
Apr 30, 2026
GitHub Copilot Chat Vulnerability Enabling Data Exfiltration via Image Proxy Abuse
A critical vulnerability was discovered in GitHub Copilot Chat that could have allowed attackers to exfiltrate private source code and sensitive secrets from repositories by exploiting the platform’s AI assistant and image proxying service. The flaw, identified by Legit Security researcher Omer Mayraz, involved a sophisticated attack chain that combined remote prompt injection with a bypass of GitHub’s content security policy. Attackers could embed hidden prompts within pull request comments or other repository content, which Copilot Chat would process without proper isolation or validation. This allowed the attacker to manipulate Copilot’s responses and assemble signed image links that leveraged GitHub’s Camo image proxy service to transmit stolen data outside the platform. The exploit, dubbed "CamoLeak," demonstrated that even advanced AI-powered developer tools can be manipulated to leak confidential information, including passwords and private keys, with minimal user awareness. The proof-of-concept attack showed that the exfiltration channel was subtle enough to evade detection by both users and GitHub’s monitoring systems. GitHub Copilot Chat’s context awareness, which enables it to read repository files, pull requests, and other workspace artifacts, was a key factor in the attack’s success, as it provided the AI assistant with access to sensitive data that could be extracted through manipulated prompts. Upon responsible disclosure via HackerOne, GitHub responded by disabling image rendering in Copilot Chat and patching the vulnerability as of August 14. The incident highlights the growing risks associated with integrating AI agents into software development workflows, especially when such agents have broad access to sensitive project data. Security experts noted that while the attack was limited in the amount of data it could exfiltrate at once, the potential impact was significant due to the nature of the information at risk. The case underscores the importance of rigorous security validation for AI-driven features and the need for continuous monitoring of new attack vectors as AI adoption accelerates in development environments. GitHub’s swift response and remediation efforts were commended, but the event serves as a cautionary tale for organizations relying on AI-powered coding assistants. The vulnerability also illustrates the creative lengths attackers may go to bypass security controls, turning legitimate platform features like image proxies into covert data exfiltration channels. The research community continues to scrutinize AI integrations for similar weaknesses, emphasizing the need for secure-by-design principles in next-generation developer tools. Organizations are advised to review their use of AI assistants, ensure prompt application of security updates, and educate developers about the risks of prompt injection and related attacks. The incident has prompted broader discussions about the balance between AI functionality and security, especially as more platforms embed intelligent agents into core workflows. Ultimately, the GitHub Copilot Chat vulnerability demonstrates both the promise and peril of AI in software development, reinforcing the need for vigilance and proactive defense measures.
Apr 10, 2026