A vulnerability in GitHub Codespaces could have allowed attackers to take over repositories by injecting malicious Copilot instructions in a GitHub issue.
The attack, Orca Security says, could have allowed attackers to trigger passive prompt injections via GitHub issues, instructing Copilot to silently leak a user’s GitHub token.
“By manipulating Copilot in a Codespace to check out a crafted pull request that contains a symbolic link to an internal file, an attacker can cause Copilot to read that file and (via a remote JSON $schema) exfiltrate a privileged GITHUB_TOKEN to a remote server,” Orca explains.
A cloud-based development environment powered by Visual Studio (VS) Code, Codespaces provides a workspace for a repository, integrates with Copilot for AI-assisted suggestions, and can be launched from repositories, pull requests, commits, and issues.
When launching Codespaces from an issue, “the in-environment Copilot AI assistant is immediately prompted with the issue’s description,” Orca explains.
The supply chain attack, which the cybersecurity firm has named RoguePilot, abuses several Codespaces features meant to increase its usability, as well as Copilot’s deep integration within the development workspace.
For example, an attacker can manipulate an issue’s description using HTML comments to hide malicious content, thus injecting malicious Copilot instructions without triggering the developer’s suspicion when visually inspecting the code.
Because VS Code supports fetching JSON schemas from the web and the setting is enabled by default in Codespaces, Orca explains, an attacker can abuse these features to exfiltrate data by appending it to the schema URL.
Furthermore, GitHub preserves symbolic links in repositories and, because these may point to sensitive information and they can be followed in certain contexts, an attacker could “exploit this behavior to access or exfiltrate data,” Orca says.
Additionally, attackers can target the GITHUB_TOKEN environment variable, which is automatically generated and provides read and write access to the repository in use.
In a RoguePilot attack, a threat actor injects a malicious prompt instructing Copilot to perform a series of actions to exfiltrate the GITHUB_TOKEN in a JSON file created by the assistant within the workspace, without requiring approval.
“In our research, we demonstrated a practical chain: issue text bound to an in-environment Copilot agent, repository symlinks that reach shared runtime files, and automatic JSON schema downloads together enabled exfiltration of a Codespaces GITHUB_TOKEN and a full repository takeover,” Orca notes.
GitHub patched the vulnerability after it was notified by the security firm.
Related: Autonomous AI Agents Provide New Class of Supply Chain Attack
Related: VS Code Configs Expose GitHub Codespaces to Attacks
Related: ‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks
Related: eScan Antivirus Delivers Malware in Supply Chain Attack
