GitHub Issues Abused in Copilot Attack Leading to Repository Takeover

Attackers can inject malicious instructions in a GitHub Issue that are automatically processed by Copilot when launching a Codespace from that issue.

A vulnerability in GitHub Codespaces could have allowed attackers to take over repositories by injecting malicious Copilot instructions in a GitHub issue.

The attack, Orca Security says, could have allowed attackers to trigger passive prompt injections via GitHub issues, instructing Copilot to silently leak a user’s GitHub token.

“By manipulating Copilot in a Codespace to check out a crafted pull request that contains a symbolic link to an internal file, an attacker can cause Copilot to read that file and (via a remote JSON $schema) exfiltrate a privileged GITHUB_TOKEN to a remote server,” Orca explains.

A cloud-based development environment powered by Visual Studio (VS) Code, Codespaces provides a workspace for a repository, integrates with Copilot for AI-assisted suggestions, and can be launched from repositories, pull requests, commits ...