A vulnerability in GitHub Codespaces could let attackers seize control of repositories and exfiltrate a privileged GITHUB_TOKEN by embedding hidden Copilot instructions in a GitHub issue. In a technical analysis by Orca Security, researcher Roi Nisimi said the flaw was codenamed RoguePilot and that Microsoft patched it after responsible disclosure.
KEY FACTS
- Incident AI-driven prompt injection in GitHub Codespaces Copilot
- Impact Potential exfiltration of a privileged GITHUB_TOKEN
- Vector Malicious GitHub issue with hidden instructions triggers Copilot when a Codespace is opened
- Status Patched after responsible disclosure
The attack starts with a crafted GitHub issue that is fed automatically to the built-in Copilot agent when a developer opens a Codespace from that issue. The report shows attackers can hide prompts inside an HTML comment tag so the instructions are not immediately visible in the issue text.
The specially crafted prompt can instruct the AI assistant to run commands and to send sensitive data to an external server. The report includes a chain that uses a crafted pull request and a symbolic link to cause Copilot to read an internal file and, via a remote JSON $schema, exfiltrate the GITHUB_TOKEN.
Codespaces can be launched from templates, repositories, commits, pull requests, or issues. The problem arises when a Codespace is opened from an issue because Copilot is automatically given the issue description as a prompt.
Microsoft applied a patch to address the behaviour after the issue was reported. The disclosure classifies the vulnerability as an example of passive or indirect prompt injection and as an AI-mediated supply chain attack.
WHY IT MATTERS
The vulnerability shows that AI assistants integrated into developer workflows can be manipulated to perform unauthorized actions and leak secrets. Teams using Codespaces should verify that automated AI prompts cannot access privileged tokens and follow vendor guidance on the patch.

