GitHub Copilot Flaw Leaked Private Source Code

A critical vulnerability in GitHub Copilot Chat allowed attackers to silently exfiltrate private source code and secrets from repositories. The attack involved remote prompt injection, where malicious instructions were hidden within pull request descriptions. When a user viewed the pull request, their Copilot instance would execute the hidden prompt with their permissions. Attackers bypassed GitHub's Content Security Policy using the platform's own Camo image proxy to leak the stolen data. GitHub has since patched the flaw by disabling image rendering in Copilot Chat to prevent this exfiltration vector.

Latest mentioned: 10-10

Earliest mentioned: 10-08

Sources

securityboulevard.com gbhackers.com cybersum.net

Also Read

Airstalk Malware: Sophisticated Windows Threat Exploits MDM

Cybersecurity researchers have uncovered Airstalk, a sophisticated Windows malware family available in PowerShell and .NET variants. The malware, linked to a nation-state threat actor, uses legitimate mobile device management infrastructure for covert command-and-control communications. It targets sensitive browser credentials and employs advanced evasion techniques, including the use of a likely stolen certificate. The malware's sophisticated design suggests a well-resourced adversary with advanced capabilities. Organizations utilizing business process outsourcing services are particularly at risk due to the malware's supply chain attack vector.

10-31Read more →