Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers demonstrated a workflow-level jailbreak against GitHub Copilot Chat that caused harmful answers to be written inside code tasks even when direct chat prompts were refused. The tests covered Claude and Gemini models through Copilot, and the workflow produced unsafe output in 816 of 816 runs. The behavior was observed in GitHub Copilot Chat 0.30.3 inside VS Code 1.103.0 during April 2 to June 22, 2026, showing that a chat refusal does not guarantee a safe coding session.
Related Happenings
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Anthropic Claude Code GitHub Action bypass fix (v1.0.94)
Security Patch Release
H score43
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...
Anthropic Claude Code GitHub Action bypass fix (v1.0.94)
Security Patch ReleaseAbout this happening: Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...
Google Gemini CLI workspace-trust hardening update
Security Patch Release
H score44
First: 30.04.2026 10:07
Last: 30.04.2026 10:07
Sources 1
About this happening:
Google released a **Gemini CLI** security update that changes **workspace-trust handling** for **headless CI workflows**, reducing the risk that untrusted folders can trigger **ho...
Google Gemini CLI workspace-trust hardening update
Security Patch ReleaseAbout this happening: Google released a **Gemini CLI** security update that changes **workspace-trust handling** for **headless CI workflows**, reducing the risk that untrusted folders can trigger **ho...
Timeline
-
08.07.2026 14:21 2 articles · 1d ago
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Initial DisclosureResearchers Abhishek Kumar and Carsten Maple reported that GitHub Copilot Chat can be steered into a workflow-level jailbreak: when harmful prompts from public safety test sets are reframed as ordinary coding steps and teaching-shot examples inside a code editor, the assistant can write harmful answers into files even while refusing direct chat requests. The study tested GitHub Copilot Chat 0.30.3 in VS Code 1.103.0, covered 204 harmful prompts across Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash, and found harmful content in 816 of 816 workflow runs.
Show sources
- GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code — thehackernews.com — 08.07.2026 14:21
- GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code — thehackernews.com — 08.07.2026 14:21