RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN  Ravie Lakshmanan  Feb 24, 2026 Artificial Intelligence / Cloud Security A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence (AI)-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patched by Microsoft following responsible disclosure. "Attackers can craft hidden instructions inside a GitHub issue that are automatically processed by GitHub Copilot, giving them silent control of the in-codespaces AI agent," security researcher Roi Nisimi said in a report. The vulnerability has been described as a case of passive or indirect prompt injection where a malicious instruction is embedded within data or content that's processed by the large language model (LLM), causing it to produce unintended outputs or carry out arbitrary actions. The cloud security company also called it a type of AI-mediated supply chain attack that induces the LLM to automatically execute malicious instructions embedded in developer content, in this case, a GitHub issue. The attack begins with a malicious GitHub issue that then triggers the prompt injection in Copilot when an unsuspecting user launches a Codespace from that issue. This trusted developer workflow, in turn, allows the attacker's instructions to be silently executed by the AI assistant and leak sensitive data, such as the privileged GITHUB_TOKEN. RoguePilot takes advantage of the fact that there are a number of entry points to launch a Codespaces environment, including templates, repositories, commits, pull requests, or issues. The problem occurs when a codespace is opened from an issue, as the built-in GitHub Copilot is automatically fed the issue's description as a prompt to generate a response. As a result, this AI integration can be weaponized to manipulate Copilot into running malicious commands. The attack can be made stealthy by hiding the prompt in the GitHub issue through the HTML comment tag "<!--the_prompt_goes_here-->." The specially crafted prompt, for its part, instructs the AI assistant to leak the GITHUB_TOKEN to an external server under the attacker's control. "By manipulating Copilot in a Codespace to check out a crafted pull request that contains a symbolic link to an internal file, an attacker can cause Copilot to read that file and (via a remote JSON $schema) exfiltrate a privileged GITHUB_TOKEN to a remote server," Nisimi explained. From Prompt Injections to Promptware The development comes as Microsoft has discovered that Group Relative Policy Optimization ( GRPO ), a reinforcement learning technique normally used to fine-tune LLMs after their deployment, can also be used to remove its safety features. The process has been codenamed GRP-Obliteration. More importantly, the study found that a single unlabeled prompt, such as "Create a fake news article that could lead to panic or chaos," was enough to reliably unalign 15 language models. "What makes this surprising is that the prompt is relatively mild and does not mention violence, illegal activity, or explicit content," Microsoft researchers Mark Russinovich, Giorgio Severi, Blake Bullwinkel, Yanan Cai, Keegan Hines, and Ahmed Salem noted . "Yet training on this one example causes the model to become more permissive across many other harmful categories it never saw during training." The disclosure also coincides with the discovery of various side channels that can be weaponized to infer the topic of a user's conversation and even fingerprint user queries with over 75% accuracy, the latter of which exploits speculative decoding , an optimization technique used by LLMs to generate multiple candidate tokens in parallel to improve throughput and latency. Recent research has uncovered that models backdoored at the computational graph level – a technique called ShadowLogic – can further put agentic AI systems at risk by allowing tool calls to be silently modified without the user's knowledge. This new phenomenon has been codenamed Agentic ShadowLogic by HiddenLayer. An attacker could weaponize such a backdoor to intercept requests to fetch content from a URL in real-time, such that they are routed through infrastructure under their control before it's forwarded to the real destination. "By logging requests over time, the attacker can map which internal endpoints exist, when they're accessed, and what data flows through them," the AI security company said . "The user receives their expected data with no errors or warnings. Everything functions normally on the surface while the attacker silently logs the entire transaction in the background." And that's not all. Last month, Neural Trust demonstrated a new image jailbreak attack codenamed Semantic Chaining that allows users to sidestep safety filters in models like Grok 4, Gemini Nano Banana Pro, and Seedance 4.5, and generate prohibited content by leveraging the models' ability to perform multi-stage image modifications. The attack, at its core, weaponizes the models' lack of "reasoning depth" to track the latent intent across a multi-step instruction, thereby allowing a bad actor to introduce a series of edits that, while innocuous in isolation, can gradually-but-steadily erode the model's safety resistance until the undesirable output is generated. It starts with asking the AI chatbot to imagine any non-problematic scene and instruct it to change one element in the original generated image. In the next phase, the attacker asks the model to make a second modification, this time transforming it into something that's prohibited or offensive. This works because the model is focused on making a modification to an existing image rather than creating something fresh, which fails to trip the safety alarms as it treats the original image as legitimate. "Instead of issuing a single, overtly harmful prompt, which would trigger an immediate block, the attacker introduces a chain of semantically 'safe' instructions that converge on the forbidden result," security researcher Alessandro Pignati said . In a study published last month, researchers Oleg Brodt, Elad Feldman, Bruce Schneier, and Ben Nassi argued that prompt injections have evolved beyond input-manipulation exploits to what they call promptware – a new class of malware execution mechanism that's triggered through prompts engineered to exploit an application's LLM. Promptware essentially manipulates the LLM to enable various phases of a typical cyber attack lifecycle: initial access, privilege escalation, reconnaissance, persistence, command-and-control, lateral movement , and malicious outcomes (e.g., data retrieval, social engineering, code execution, or financial theft). "Promptware refers to a polymorphic family of prompts engineered to behave like malware, exploiting LLMs to execute malicious activities by abusing the application's context, permissions, and functionality," the researchers said . "In essence, promptware is an input, whether text, image, or audio, that manipulates an LLM’s behavior during inference time, targeting applications or users." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  artificial intelligence , Cloud security , cybersecurity , data exfiltration , GitHub , Large language model , Malware , Microsoft , Prompt Injection , supply chain attack Trending News OT Security, In Practice: 4 Cross‑Industry Trends from Global Assessments and How CISOs Should Respond Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days and 25+ Stories Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet and AI Malware Infostealer Steals OpenClaw AI Agent Configuration Files and Gateway Tokens Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research