GitHub Copilot CamoLeak prompt-injection PoC with Camo-bypass pixel exfiltration
Technical Analysis
Summary
Hide ▲
Show ▼
A GitHub Copilot proof-of-concept shows prompt injection can still force selective leakage of passwords, private keys, and tokens, even when GitHub Camo blocks direct exfiltration. The technique matters because it turns seemingly harmless pixel image requests into a covert data-encoding channel. GitHub says it has disabled all image rendering in Copilot chat since August, reducing exposure to this specific path.
Related Happenings
Malicious LNK GitHub C2 campaign targeting South Korea
Campaign
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
A **malicious LNK-file campaign** targeting **users in South Korea** is using **GitHub as C2** to support persistent access on **Windows** systems. The operation relies on **Power...
Malicious LNK GitHub C2 campaign targeting South Korea
CampaignAbout this happening: A **malicious LNK-file campaign** targeting **users in South Korea** is using **GitHub as C2** to support persistent access on **Windows** systems. The operation relies on **Power...
GitHub Copilot chat disables image rendering to block CamoLeak exfiltration
Security Tool/Service
First: 09.10.2025 22:56
Last: 09.10.2025 22:56
Sources 1
How related:
To prevent real attackers using the CamoLeak trick, GitHub has disabled all image rendering in Copilot chat since August.
About this happening:
**GitHub Copilot chat** has **disabled all image rendering** to block the **CamoLeak** image-based exfiltration path, reducing the risk that prompt-injected instructions can leak...
GitHub Copilot chat disables image rendering to block CamoLeak exfiltration
Security Tool/ServiceHow related: To prevent real attackers using the CamoLeak trick, GitHub has disabled all image rendering in Copilot chat since August.
About this happening: **GitHub Copilot chat** has **disabled all image rendering** to block the **CamoLeak** image-based exfiltration path, reducing the risk that prompt-injected instructions can leak...
Timeline
-
09.10.2025 22:56 2 articles · 7mo ago
GitHub Copilot CamoLeak prompt-injection PoC and image-rendering mitigation
Technical Analysis UpdateResearchers from Legit Security demonstrated CamoLeak, a proof-of-concept against GitHub Copilot that uses a hidden comment in a pull request to inject prompts into a victim's Copilot session and coerce selective leakage of passwords, private keys, tokens, and credentials. The bypass works by assigning nearly invisible single-pixel images to ASCII characters and having Copilot fetch them through GitHub Camo, turning image requests into a covert encoding channel that can reveal short secrets without direct malicious exfiltration to an arbitrary URL. GitHub has disabled all image rendering in Copilot chat since August to reduce exposure to this path.
Show sources
- GitHub Copilot 'CamoLeak' AI Attack Exfiltrates Data — www.darkreading.com — 09.10.2025 22:56
- GitHub Copilot 'CamoLeak' AI Attack Exfiltrates Data — www.darkreading.com — 09.10.2025 22:56