CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GitHub Codespaces RCE via Malicious Repository Configurations

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Researchers at Orca Security discovered multiple attack vectors in GitHub Codespaces that allow remote code execution (RCE) by exploiting default behaviors in cloud-based development environments. These vulnerabilities enable attackers to execute arbitrary commands, steal credentials, and access sensitive resources without explicit user approval. The issue arises from the automatic execution of repository-defined configuration files, which can be manipulated to trigger malicious activities upon environment startup or when checking out a pull request.

Timeline

  1. 05.02.2026 16:30 1 articles · 8h ago

    Orca Security Uncovers RCE Vectors in GitHub Codespaces

    Researchers at Orca Security discovered multiple attack vectors in GitHub Codespaces that enable remote code execution (RCE) by exploiting default behaviors in cloud-based development environments. These vulnerabilities allow attackers to execute arbitrary commands, steal credentials, and access sensitive resources without explicit user approval. The issue arises from the automatic execution of repository-defined configuration files, which can be manipulated to trigger malicious activities upon environment startup or when checking out a pull request.

    Show sources
    Open in new tab

Information Snippets

  • GitHub Codespaces automatically applies repository-defined configuration files to streamline development, creating an attack surface when these files are controlled by an adversary.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Three primary vectors enable RCE without additional user interaction: .vscode/tasks.json, .vscode/settings.json, and .devcontainer/devcontainer.json.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Exploiting these vectors allows attackers to exfiltrate environment variables, including GitHub authentication tokens and Codespaces secrets.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Stolen GitHub tokens can be used to read and write to repositories in the context of the victim user, potentially allowing attackers to impersonate trusted maintainers.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Attackers can chain these techniques to move laterally within GitHub Enterprise environments and access hidden organizational data.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Stolen tokens can also be used with undocumented GitHub APIs to access premium Microsoft Copilot models, exposing sensitive internal information.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Microsoft confirmed the behavior is by design and relies on trusted-repository controls and existing settings to limit abuse.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources

  • Orca Security argues that development environments must treat repository-supplied configurations with zero trust.

    First reported: 05.02.2026 16:30
    1 source, 1 article
    Show sources