RoguePilot: How a Passive Prompt Injection Led to GitHub Repository Takeovers Artificial Intelligence coding assistants have transitioned from experimental novelties to mandatory infrastructure for …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

Researchers at Orca Security discovered RoguePilot, a critical vulnerability in GitHub Codespaces where passive prompt injection via hidden HTML comments in GitHub Issues allowed attackers to hijack repositories. The attack chain works by: embedding hidden instructions in an issue, tricking GitHub Copilot into checking out a crafted PR containing a symlink to the GITHUB_TOKEN secrets file, reading the token via the symlink bypass, then exfiltrating it through VS Code's automatic JSON schema download feature. The result is a full repository takeover with no user interaction beyond opening a Codespace. Microsoft and GitHub have patched the flaw, but the post outlines broader architectural mitigations including treating AI context as untrusted input, requiring human-in-the-loop for agentic actions, hardening symlink sandboxing, and enforcing least-privilege token scopes.

RoguePilot: How a Passive Prompt Injection Led to GitHub Repository Takeovers

Background: The “God Mode” Problem in AI Tooling

The Threat Landscape: Active vs. Passive Prompt Injection

Technical Analysis: The RoguePilot Exploit Chain

Get Sohan Kanna ’s stories in your inbox

Impact Assessment: The Keys to the Kingdom