GitHub Copilot Flaw Allows Attackers to Steal Source Code from Private Repositories

A critical weakness in GitHub Copilot Chat discovered in June 2025 exposed private source code and secrets to attackers.

Rated CVSS 9.6, the vulnerability combined a novel Content Security Policy bypass with remote prompt injection.

By embedding hidden prompts in pull requests, attackers could exfiltrate private repository data and control Copilot’s responses, including injecting malicious code suggestions or links.

Background of the Flaw

GitHub Copilot Chat is an AI assistant integrated directly into GitHub’s interface. It helps developers by answering questions, explaining code, and suggesting implementations based on the project context.

Because Copilot Chat accesses repository contents, it must handle sensitive data securely. The richer the context, the greater the potential attack surface.

In this instance, attackers leveraged Copilot’s context awareness to slip instructions into an otherwise innocuous pull request description.

Invisible comments a documented GitHub feature allowed prompts to remain hidden from human readers while ...