GitHub Copilot Exploited to Perform Full Repository Takeover via Passive Prompt Injection

Copilot on GitHub Was Exploited RoguePilot, a serious AI-driven flaw in GitHub Codespaces, allowed hackers to covertly take over a repository by inserting malicious instructions into a GitHub Issue. Researchers at the Orca Research Pod discovered the vulnerability, which takes advantage of the smooth interaction between GitHub Issues and the in-Codespaces Copilot AI agent. An attacker doesn't need to interact directly with the system to initiate a complete repository takeover.

Microsoft has since patched the vulnerability after working with the Orca team to coordinate remediation efforts after the vulnerability was responsibly reported to GitHub. How the GitHub Copilot Attack Operates: RoguePilot is categorized as a Passive Prompt Injection variant, which is a type of attack in which malicious instructions are embedded within developer environments, data, or content that are automatically processed by a language model.

This attack is initiated as soon as a developer opens a Codespace from a poisoned GitHub Issue, in contrast to traditional prompt injection, which requires a victim to interact directly with the AI. According to Orca's disclosure, vendors should implement fail-safe defaults for all LLM-integrated developer tooling. These defaults include treating content from repositories, issues, and pull requests as untrusted input, disabling passive AI agent prompting from external data sources, setting json.schemaDownload.enable to false by default, enforcing strict symlink sandboxing within workspace boundaries, and enforcing minimal-scope, transient token issuance for Codespaces environments.

X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.