GitHub Codespaces malicious repository or pull request RCE remote code execution flaw
Vulnerability
Summary
Hide ▲
Show ▼
GitHub Codespaces vulnerability RoguePilot can let an attacker abuse GitHub Copilot by planting hidden instructions in a GitHub issue, then opening a Codespace from that issue to trigger silent command execution and leak GITHUB_TOKEN data. Orca Security said the flaw was a case of passive or indirect prompt injection, and Microsoft has since patched it after responsible disclosure. The broader abuse path remains tied to trusted Codespaces workflows, where attacker-controlled content can be processed by the built-in AI assistant without obvious warning.
Related Happenings
AI coding assistants GhostApproval symlink security flaw
Vulnerability
H score22
First: 09.07.2026 07:27
Last: 09.07.2026 07:27
Sources 1
About this happening:
A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
AI coding assistants GhostApproval symlink security flaw
VulnerabilityAbout this happening: A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical Analysis
H score22
First: 08.07.2026 14:21
Last: 08.07.2026 14:21
Sources 1
About this happening:
Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical AnalysisAbout this happening: Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Timeline
-
05.02.2026 16:30 2 articles · 5mo ago
GitHub Codespaces malicious repository and pull request RCE disclosure
Initial DisclosureOrca Security identified three GitHub Codespaces abuse paths that can trigger arbitrary command execution when a user opens a malicious repository or checks out a malicious pull request: .vscode/tasks.json, .vscode/settings.json, and .devcontainer/devcontainer.json. The described abuse can steal GitHub authentication tokens and Codespaces secrets, support lateral movement in GitHub Enterprise environments, and expose hidden organisational data; stolen tokens may also be used with undocumented GitHub APIs to access premium Microsoft Copilot models. Microsoft said the behavior is by design and depends on trusted-repository controls and existing settings to limit abuse.
Show sources
- Malicious Commands in GitHub Codespaces Enable RCE — www.infosecurity-magazine.com — 05.02.2026 16:30
- RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN — thehackernews.com — 24.02.2026 20:52