Copilot flaw exposed hidden data paths

GitHub Copilot Chat has been shown to carry a serious prompt-injection weakness that allowed a researcher to demonstrate how secrets, private source code and other sensitive repository data could be siphoned out of trusted development workflows without planting malware in the victim’s environment. The issue, dubbed CamoLeak, was disclosed by Legit Security researcher Omer Mayraz after he said he found it in June 2025, reported it through HackerOne and saw GitHub deploy a fix by 14 August 2025. The attack centred on Copilot Chat’s ability to absorb repository context and act on content that appeared harmless to a human reviewer.

What made the flaw stand out was that it did not depend on traditional code execution. Instead, the researcher described an attack chain that combined remote prompt injection with abuse of GitHub’s own image-handling infrastructure. A malicious instruction could be hidden inside a pull request description or similar content using HTML comments that GitHub does not render visibly to users, while Copilot could still ingest that text as context. From there, the model could be nudged into assembling outbound image requests that encoded sensitive information. GitHub’s documentation confirms both the availability of hidden Markdown comments and the use of its Camo anonymised image proxy, the two ingredients that made the proof of concept possible.

The researcher’s write-up and follow-on industry coverage say the technique could expose API keys, proprietary code and even unpublished vulnerability details stored in private repositories. BankInfoSecurity reported that the exploit relied on hidden prompts and manipulated Camo image links to move data out, while Dark Reading noted that the case underlined how even mature AI coding tools remain vulnerable when external, attacker-controlled text is mixed with privileged internal context. The wider security lesson is that large language model assistants do not need to “run malware” to cause harm; they can become the channel through which trusted data is repackaged and leaked.

GitHub’s mitigation was direct but revealing. According to the researcher and multiple reports, the company disabled image rendering in Copilot Chat completely, cutting off the exfiltration path rather than attempting a narrower patch. GitHub had already been warning about indirect prompt injection risks in related tooling. In an August 2025 security post on VS Code protections, GitHub said poisoned chat context could expose confidential files, GitHub tokens or trigger other sensitive actions if untrusted data was allowed to steer the model. That acknowledgement places the Copilot Chat flaw within a broader class of AI security problems facing software teams, rather than as a one-off bug.

The chronology also matters because it shows how quickly AI-assisted development has become a security battleground. Mayraz published his detailed account on 8 October 2025, and industry outlets picked it up the next day, framing it as one of the clearest examples yet of prompt injection being turned into practical data exfiltration inside a developer tool. The attention followed other AI-assistant security disclosures during 2025, including GitHub and Microsoft-related Copilot issues in adjacent products, reinforcing concern that coding agents with broad context access create a larger attack surface than conventional extensions.

One area where the public narrative remains muddy is the CVE labelling. Some secondary articles and reposts describe the Copilot flaw as CVE-2025-59145, but public CVE and NVD records for that identifier point to an unrelated compromise involving the npm package color-name, not GitHub Copilot Chat. By contrast, the primary researcher disclosure for CamoLeak sets out the technical details, the CVSS 9.6 severity assessment and the August 2025 remediation without matching that public CVE record. For editors and security teams alike, that mismatch is a reminder that headlines and syndicated copies need to be checked against primary advisories before publication or response decisions are made.

For companies using Copilot, the episode sharpens a debate that has been building across the software industry: how much trust should be given to AI tools that can see private repositories, tickets and pull requests. GitHub offers content exclusion controls for some repositories and organisations, allowing specified files or paths to be ignored by Copilot, but its own documentation says those exclusions do not extend to every Copilot surface, including Copilot CLI, the cloud agent and Agent mode in IDE chat. That leaves organisations relying not only on vendor safeguards but also on internal controls over what assistants can access, how pull requests are reviewed and which repositories should be ring-fenced from AI context collection altogether.