• A vulnerability in GitHub Codespaces could have allowed attackers to take over repositories by injecting malicious Copilot instructions in a GitHub issue.The attack, Orca Security says, could have allowed attackers to trigger passive prompt injections via GitHub issues, instructing Copilot to silently leak a user’s GitHub token.“By manipulating Copilot in a Codespace to check out a crafted pull request that contains a symbolic link to an internal file, an attacker can cause Copilot to read that file and (via a remote JSON $schema) exfiltrate a privileged GITHUB_TOKEN to a remote server,” Orca explains.A cloud-based development environment powered by Visual Studio (VS) Code, Codespaces provides a workspace for a repository, integrates with Copilot for AI-assisted suggestions, and can be launched from repositories, pull requests, commits, andissues.When launching Codespaces from an issue, “the in-environment Copilot AI assistant is immediately prompted with the issue’s description,” Orca explains.The supply chain attack, which the cybersecurity firm has namedRoguePilot, abuses several Codespaces features meant to increase its usability, as well as Copilot’s deep integration within the development workspace.Advertisement. • Scroll to continue reading.For example, an attacker can manipulate an issue’s description using HTML comments to hide malicious content, thus injecting malicious Copilot instructions without triggering the developer’s suspicion when visually inspecting the code.Because VS Code supports fetching JSON schemas from the web and the setting is enabled by default in Codespaces, Orca explains, an attacker can abuse these features to exfiltrate data by appending it to the schema URL.Furthermore, GitHub preserves symbolic links in repositories and, because these may point to sensitive information and they can be followed in certain contexts, an attacker could “exploit this behavior to access or exfiltrate data,” Orca says.Additionally, attackers can target the

Article Summaries:

  • GitHub has patched a vulnerability that allowed attackers to hijack repositories by exploiting its Codespaces and Copilot integration. Orca Security identified a supply‑chain attack, dubbed “RoguePilot,” in which malicious instructions were injected into a GitHub issue’s description-hidden in HTML comments-to prompt Copilot to execute hidden actions. By leveraging Codespaces’ default JSON schema fetching, symbolic links, and the automatically generated GITHUB_TOKEN, the attacker could read internal files and exfiltrate the token to a remote server, effectively taking over the repository. GitHub responded by fixing the flaw after notification.

Sources: