GitHub Copilot Vulnerability Enabled Repository Takeovers via Malicious Issues
RoguePilot flaw exposed how AI coding assistants can be weaponized through passive prompt injection, allowing attackers to steal credentials and hijack repositories without exploiting traditional vulnerabilities.
Security researchers have disclosed a critical vulnerability in GitHub Codespaces that allowed attackers to hijack repositories by embedding malicious instructions in GitHub issues, exposing millions of developers to AI-mediated supply chain attacks. The flaw, dubbed RoguePilot, demonstrates how AI coding assistants can be manipulated to execute unauthorized commands and exfiltrate sensitive credentials through passive prompt injection—a technique that requires no direct user interaction beyond opening a development environment.
Discovered by Orca Security’s research team, the vulnerability exploited the integration between GitHub Issues and the in-Codespaces Copilot AI agent, requiring no direct interaction from the attacker to trigger a full repository takeover. GitHub patched the vulnerability after notification from the security firm. Microsoft has not disclosed whether the flaw was actively exploited in the wild.
How the Attack Worked
When launching Codespaces from an issue, the in-environment Copilot AI assistant is immediately prompted with the issue’s description. Researcher Roi Nisimi demonstrated the exploit chain by embedding hidden instructions inside a GitHub Issue using HTML comment tags (), a standard GitHub feature that renders content invisible to human readers but remains fully legible to Copilot when it processes the issue description.
The injected prompt instructed Copilot to execute gh pr checkout 2 via its run_in_terminal tool, pulling in a pre-crafted pull request that contained a symbolic link pointing to the file housing the environment’s GITHUB_TOKEN, then created a JSON file with a $schema property pointing to an attacker-controlled server, exploiting VS Code’s default json.schemaDownload.enable setting, which automatically fetches remote JSON schemas via HTTP GET, with the stolen GITHUB_TOKEN appended as a URL parameter. With a valid GITHUB_TOKEN scope to the repository, the attacker obtains full read and write access—completing a stealthy repository takeover.
The attack required no special privileges, no code execution by the victim, and no social engineering beyond creating a malicious GitHub issue.
A New Attack Class
Orca Security describes RoguePilot as a new class of AI-mediated supply chain attack, where an LLM’s agentic capabilities, terminal access, file read/write, and network-connected tooling are weaponized against the very developer the AI is meant to assist. The vulnerability has been described as a case of passive or indirect prompt injection where a malicious instruction is embedded within data or content that’s processed by the large language model (LLM), causing it to produce unintended outputs or carry out arbitrary actions.
Passive prompt injection differs from traditional attacks by embedding malicious instructions in data that AI systems process automatically, without requiring victims to directly interact with the attacker. According to The Hacker News, researchers have identified “promptware”—a polymorphic family of prompts engineered to behave like malware, exploiting LLMs to execute malicious activities by abusing the application’s context, permissions, and functionality.
Security experts note that this is a direct consequence of granting AI agents “God Mode” permissions, tools, terminal access, and privileged tokens while the underlying model continues to operate on open-book logic that treats all processed text as potentially trustworthy. The vulnerability demonstrates that Copilot, operating as an autonomous coding agent within Codespaces, cannot reliably distinguish between a developer’s legitimate instruction and adversarial content embedded in a GitHub Issue or pull request.
Broader Security Implications
The RoguePilot disclosure arrives amid mounting evidence that AI coding tools represent a fundamental shift in attack surface. According to The Hacker News, security researcher Ari Marzouk recently identified over 30 vulnerabilities across popular AI-powered IDEs including Cursor, Windsurf, and GitHub Copilot extensions, collectively named IDEsaster.
As agentic AI offerings are becoming increasingly popular in enterprise environments, these findings demonstrate how AI tools expand the attack surface of development machines, often by leveraging an LLM’s inability to distinguish between instructions provided by a user to complete a task and content that it may ingest from an external source.
“Attackers can craft hidden instructions inside a GitHub issue that are automatically processed by GitHub Copilot, giving them silent control of the in-codespaces AI agent.”
— Roi Nisimi, Security Researcher, Orca Security
Separate vulnerabilities disclosed by Check Point Research in Anthropic’s Claude Code similarly demonstrate how configuration files in AI development tools can become execution vectors. According to The Register, the flaws allowed remote code execution and API key theft when developers cloned and opened untrusted repositories, with attackers able to bypass safeguards by manipulating project-level configuration files.
The vulnerability posed a significant risk to open-source projects, enterprise repositories, and CI/CD pipelines relying on GitHub Codespaces for development. “Any repository using AI for issue triage, PR labeling, code suggestions, or automated replies is at risk of prompt injection, command injection, secret exfiltration, repository compromise and upstream supply chain compromise,” according to security research from Aikido.
Microsoft’s Response
Microsoft resolved the critical vulnerability in GitHub Codespaces following responsible disclosure by Orca Security, with the patch preventing Copilot from processing hidden executable instructions in GitHub issues. Organizations are advised to audit recent repository activity for signs of unauthorized access.
- Rotate GITHUB_TOKENs immediately if using Codespaces during vulnerability window
- Monitor repository logs for unusual commits, pull requests, or permission changes
- Enforce least privilege access for Codespaces and Copilot
- Update GitHub CLI and related extensions to latest versions
- Train development teams on prompt injection risks in AI-assisted tools
According to guidance published by Orca Security, organizations should treat repository, issue, and pull request content as untrusted input, disable passive AI agent prompting from external data sources, set json.schemaDownload.enable to false by default, enforce strict symlink sandboxing within workspace boundaries, and enforce minimal-scope, short-lived token issuance for Codespaces environments.
What to Watch
The RoguePilot vulnerability represents the leading edge of AI-specific attack vectors that exploit the trust boundaries between developers, AI assistants, and code repositories. As autonomous coding agents gain terminal access, file modification capabilities, and network permissions, the traditional security model—where malicious code requires explicit execution—no longer holds.
Developers should expect increased scrutiny of AI tool permission models, particularly around configuration file processing and automatic command execution. Organizations deploying AI coding assistants must implement defense-in-depth strategies that treat AI-generated actions as untrusted by default, requiring explicit approval chains for operations that modify code, access credentials, or execute commands. The shift from AI as suggestion engine to AI as autonomous agent fundamentally alters what “opening a repository” means from a security perspective—a reality that will require new tooling, training, and threat modeling practices across the software development lifecycle.