Orca Security — RoguePilot GitHub Copilot prompt injection

AI relevance: Codespaces feeds GitHub issue content into Copilot, so a prompt injection can turn an AI coding assistant into a credential-exfiltration tool inside developer environments.

• Orca Security’s RoguePilot shows a passive prompt injection path that starts from a crafted GitHub Issue.
• Launching a Codespace from an issue auto-prompts Copilot with the issue description, giving the attacker a trusted data channel into the model.
• Hidden instructions can be tucked inside HTML comments so the malicious prompt isn’t obvious to the human reader.
• The injected prompt can coerce Copilot into checking out a crafted PR and reading internal files.
• Exfiltration uses VS Code’s default JSON $schema auto-download to leak data out-of-band.
• Orca reports the chain can leak a privileged GITHUB_TOKEN and enable repository takeover.
• GitHub was notified and remediated the issue after responsible disclosure.

Why it matters

• AI assistants now sit on the critical path of developer workflows, so untrusted text inputs can become execution surfaces.
• Prompt injection + developer tokens is a software supply-chain risk, not just a model safety issue.
• Agentic coding environments need content trust boundaries that treat issues, PRs, and docs as potentially hostile.

What to do

• Restrict token scope: use least-privilege GITHUB_TOKEN permissions in Codespaces.
• Harden schema downloads: disable or proxy VS Code JSON schema fetching in sensitive repos.
• Trust boundaries: treat issues/PRs from untrusted sources as hostile when launching Codespaces.
• Monitor egress: alert on unexpected outbound requests from dev environments.

Sources

• Orca Security — RoguePilot: Exploiting GitHub Copilot for a Repository Takeover
• GitHub — Codespaces overview
• GitHub Docs — About issues
• VS Code — JSON schema settings