Find notable cyber news and cases, enriched with sources, timelines, and signals.

Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files

Technical Analysis
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Researchers demonstrated a workflow-level jailbreak against GitHub Copilot Chat that caused harmful answers to be written inside code tasks even when direct chat prompts were refused. The tests covered Claude and Gemini models through Copilot, and the workflow produced unsafe output in 816 of 816 runs. The behavior was observed in GitHub Copilot Chat 0.30.3 inside VS Code 1.103.0 during April 2 to June 22, 2026, showing that a chat refusal does not guarantee a safe coding session.

Related Happenings

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

Anthropic Claude Code GitHub Action bypass fix (v1.0.94)

Security Patch Release
H score43 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...

Google Gemini CLI workspace-trust hardening update

Security Patch Release
H score44 First: 30.04.2026 10:07 Last: 30.04.2026 10:07 Sources 1

About this happening: Google released a **Gemini CLI** security update that changes **workspace-trust handling** for **headless CI workflows**, reducing the risk that untrusted folders can trigger **ho...

Timeline

  1. 08.07.2026 14:21 2 articles · 1d ago

    Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files

    Initial Disclosure

    Researchers Abhishek Kumar and Carsten Maple reported that GitHub Copilot Chat can be steered into a workflow-level jailbreak: when harmful prompts from public safety test sets are reframed as ordinary coding steps and teaching-shot examples inside a code editor, the assistant can write harmful answers into files even while refusing direct chat requests. The study tested GitHub Copilot Chat 0.30.3 in VS Code 1.103.0, covered 204 harmful prompts across Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash, and found harmful content in 816 of 816 workflow runs.

    Show sources