A critical vulnerability in GitHub Copilot Chat, dubbed “CamoLeak,” allowed attackers to silently steal source code and secrets from private repositories using a sophisticated prompt injection technique. The flaw, which carried a CVSS score of 9.6, has since been patched by GitHub.
How the CamoLeak attack worked
The attack method, discovered by security researcher Omer Mayraz, began by hiding malicious instructions within a pull request description using GitHub’s “invisible comments” feature. While this content is not visible to users in the standard interface, Copilot Chat ingests all repository and pull request context, including this hidden metadata, when generating responses.
The vulnerability was triggered when a legitimate developer with access to private repositories would ask Copilot Chat a question about the compromised pull request. Copilot, which operates with the permissions of the querying user, would then execute the hidden malicious prompt. This allowed the attacker to command the AI assistant to search for sensitive information, such as API keys or source code, within the victim’s accessible private repositories.
To exfiltrate the stolen data, the attack leveraged GitHub’s own “Camo” image proxy service. Normally, GitHub’s Content Security Policy (CSP) prevents content from directly leaking data to external domains. The Camo proxy is designed to safely route external image requests, rewriting URLs to a camo.githubusercontent.com address with a cryptographic signature.
The CamoLeak attack bypassed these protections by first having the attacker create a dictionary of pre-signed Camo URLs. Each valid URL pointed to a benign, invisible 1×1 pixel image hosted on the attacker’s server, with each unique URL representing a single character of data (e.g., ‘A’, ‘B’, ‘1’, ‘;’).
The injected prompt then instructed Copilot to construct its response by referencing these pre-signed image URLs in a specific sequence that encoded the stolen repository content. When the victim’s browser rendered Copilot’s output, it made a series of requests through the trusted Camo proxy to fetch each invisible pixel. The sequence of these requests, as received by the attacker’s server, effectively reconstructed the stolen data character by character, all without displaying any malicious content to the user or triggering standard network security alerts.
