GitHub Copilot Chat Flaw Let Private Code Leak Via Images

Researcher Found Bug Could Exfiltrate Secrets Via Camo Images Rashmi Ramesh (rashmiramesh_) • October 9, 2025

A now-patched flaw in GitHub Copilot Chat could have enabled attackers to steal source code and secrets by embedding hidden prompts that hijacked the artificial intelligence assistant's responses. The exploit also used the repository platform's image proxy to leak the stolen data.

See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape

The vulnerability, discovered by Legit Security researcher Omer Mayraz, combined a remote prompt injection with an inventive bypass of GitHub's content security policy. It used Cam, the platform's image proxying service, to pull private data out of repositories.

GitHub Copilot Chat is an AI assistant built into GitHub that helps developers by answering questions, explaining code and suggesting implementations directly in their workflow.

The flaw combined two issues: hidden pull-request comments and ...