Full Report
A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence (AI)-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patched by Microsoft following responsible disclosure. "Attackers can craft hidden instructions inside a
Analysis Summary
# Vulnerability: RoguePilot - Indirect Prompt Injection in GitHub Codespaces
## CVE Details
- **CVE ID:** Not explicitly listed in the article (Common for "codenamed" findings before official CVE assignment).
- **CVSS Score:** N/A (High severity indicated by potential for full repository takeover).
- **CWE:** CWE-506 (Embedded Malicious Code) / CWE-116 (Improper Encoding or Escaping of Output - related to Prompt Injection).
## Affected Systems
- **Products:** GitHub Codespaces, GitHub Copilot (integrated within Codespaces).
- **Versions:** All versions prior to the February 2026 patch.
- **Configurations:** Environments where a user launches a Codespace directly from a GitHub **Issue** containing malicious descriptions.
## Vulnerability Description
RoguePilot is an **indirect prompt injection** vulnerability. When a developer opens a GitHub Codespace from a specific "Issue," the built-in AI agent (GitHub Copilot) automatically ingests the issue's description to provide context.
An attacker can embed hidden instructions within the issue description using HTML comment tags (`<!-- comment -->`). Because these instructions are automatically processed by the AI agent’s LLM, the attacker can manipulate the agent into executing arbitrary commands. Specifically, the flaw allows the agent to be tricked into checking out a malicious pull request containing a symbolic link, which the agent then reads and exfiltrates (via a remote JSON `$schema` request) to an attacker-controlled server.
## Exploitation
- **Status:** PoC available (Developed by Orca Security); patched by Microsoft.
- **Complexity:** Medium (Requires crafting a specific GitHub issue and social engineering a user to launch a Codespace from it).
- **Attack Vector:** Network (Remote/Web-based).
## Impact
- **Confidentiality:** **High** (Exfiltration of the privileged `GITHUB_TOKEN` and internal files).
- **Integrity:** **High** (Malicious control over the AI agent allows for unauthorized repository modifications).
- **Availability:** **Medium** (Potential to disrupt development workflows).
## Remediation
### Patches
- Microsoft has implemented a server-side patch for GitHub Codespaces and Copilot. Users should ensure they are using the latest version of the GitHub Codespaces environment.
### Workarounds
- **Manual Review:** Users should be cautious when launching Codespaces from issues or pull requests originating from untrusted or external contributors.
- **Token Scope:** Minimize the permissions of the `GITHUB_TOKEN` within the Codespaces environment where possible.
## Detection
- **Indicators of Compromise:**
- GitHub issues containing large blocks of hidden HTML comments.
- Unexpected outbound network requests from a Codespace environment to unknown external domains (specifically JSON `$schema` lookups).
- AI agents performing unexpected `git checkout` commands on unrelated pull requests.
- **Detection Methods:** Audit GitHub Action logs and Codespace creation events for unusual entry points.
## References
- **Vendor Advisory:** [https://github.com/advisories] (General GitHub Advisory Database)
- **Research Source:** [https://orca.security/resources/blog/roguepilot-github-codespaces-vulnerability/]
- **News Article:** [https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html]