GitHub Copilot Chat Hit by ‘CamoLeak’ Flaw Allowing Silent Data Exfiltration

Cybersecurity researchers have discovered a critical flaw in GitHub Copilot Chat, dubbed “CamoLeak,” that could let attackers manipulate the AI assistant into secretly leaking sensitive user data. The vulnerability exposes how prompt injection and content rendering can be weaponized to turn trusted AI tools into data exfiltration channels.

This critical security vulnerability with a CVSS score of was first discovered by Legit Security researcher Omer Mayraz in June 2025. It could allow attackers to silently extract sensitive information such as secrets and source code from private repositories. This flaw could also let hackers manipulate Copilot’s responses, including injecting malicious code or links.

The exploit combined two techniques called remote prompt injection and CSP (Content Security Policy) bypass. Remote prompt injection allows attackers to embed hidden prompts in pull request descriptions using GitHub’s invisible comments to manipulate Copilot’s behavior. On the other hand, Content Security Policy (CSP) bypass exploits GitHub’s Camo image proxy to render external images securely and covertly leak sensitive data.

How attackers exploited GitHub Copilot Chat?

The attack exploited GitHub Copilot Chat’s ability to read context from pull request (PR) descriptions. The hackers leveraged GitHub’s invisible comment feature to embed hidden prompts for manipulating Copilot’s behavior for any user viewing the PR. Copilot operates with the same permissions as the user, which could allow the AI assistant to access private repositories and respond based on the injected prompts.

To exfiltrate data, the cybercriminals used GitHub’s Camo image proxy, which securely renders external images. They pre-generated a set of Camo URLs corresponding to ASCII characters to trick Copilot into rendering sensitive information (like API keys or passwords) as images. These images appeared harmless but actually encoded private data that allowed attackers to retrieve it without raising suspicion.

GitHub has disabled the image rendering capability in Copilot Chat to mitigate the vulnerability on August 14. The company also blocked the use of Camo, which allowed attackers to leak sensitive victim user content.

How to protect against CamoLeak AI attacks?

To prevent attacks like the CamoLeak vulnerability, organizations should adopt a multi-layered approach to securing AI development tools and platforms. They should limit the contextual access granted to AI assistants like Copilot to protect sensitive data stored in private repositories. This includes configuring permissions carefully and avoiding overprivileging automated tools.

Additionally, organizations should monitor and sanitize user-generated content to detect and block hidden prompt injections. Moreover, they must implement filters or alerts for suspicious patterns to mitigate this risk. It’s also recommended to disable or restrict external content rendering within AI interfaces can prevent covert data exfiltration.