GitHub Copilot Chat had a vulnerability that could turn a developers own AI assistant against them and silently stealing secrets, API keys and source code from private repositories with just a hidden instructions without actually executing any malicious code. This is the full story of CamoLeak, how it worked and how far reaching its impact was.
Copilot Chat Data Exfiltration Flaw
Every developer dreams of an AI assistant that works alongside them, understands code, reviews pull requests, and makes their job easier. GitHub Copilot Chat was that dream. But in June 2025, Legit Security researcher Omar Mayraz discovered something that could turn that dream into a nightmare. Copilot itself could be used as a weapon to steal data AWS keys and zero-day vulnerabilities from a developers private repository. No alert no suspicious activity and no malicious code executed just an invisible comment and its done.
When Trust Turns Into Vulnerability
GitHub Copilot Chat is so useful because it understands its context. When a developer uses it, Copilot doesn’t just talk to them, it can read the developers accessible repositories, code, pull requests and the entire context of the project. This access is subject to the developers own permissions and meaning if the developer has access to a private repository of a private organization, Copilot can read it too. This is the power that CamoLeak exploited.
The attacks design was simple but thoughtful. The attacker would submit a pull request that was openly harmless, but the description of the pull request would hide malicious instructions using GitHubs invisible markdown comment syntax. These comments would remain invisible on the rendered page but when Copilot read the context of the pull request, it would read those hidden instructions and mistake them for its actual instructions. This is called prompt injection and tricking the AI into its own language.
Weaponizing Camo GitHub Hidden Attack Surface
Till here it is understandable how the data was obtained, but the real problem was how it was taken out. GitHub Content Security Policy is also known as CSP is very strict. It prevents loading of images or content from any external domain. If the attacker gives a direct link to its server and GitHub blocks it. The trick that Mayraz discovered here is truly a marvel of engineering.
GitHub has an open source tool called Camo. Whenever a README or Markdown file contains an external image link, GitHub routes that URL through its Camo proxy and its meaning the image doesn’t come directly from the attackers server.GitHub own infrastructure acts as a middle ground and forwards the image. This was for privacy and security purposes, so that an attacker couldn’t extract user information from the raw URL. But Mayraz used this system in reverse.
They had previously created a dictionary of valid Camo URLs for the entire alphabet, numbers and symbols using GitHub REST API. A different pre-signed Camo URL for each character. They connected all these URLs to one of their web servers which returned only a transparent 1×1 pixel image in response an image completely invisible to the human eye.
Now when the Copilot read the hidden instructions and the injected prompt ordered it to search the victims private repository for keywords like AWS_KEY encode any found keywords in base16 and then generate a sequence of invisible images using the corresponding Camo URL for each character in the encoded data.
When the victims browser rendered Copilots response and it attempted to load these images by requesting the Camo URLs one after the other and by observing the pattern of each request on the attackers server the attacker learned which character was in which position. The data was passed to the attacker character by character and through GitHub trusted infrastructure.
Why Detection Failed
That’s the most troubling aspect of this attack. All outgoing traffic was going through GitHub’s own Camo infrastructure network monitors thought it was a normal image loading. No malicious code was executed that antivirus or endpoint protection could detect.
There were no suspicious domains that a firewall would block. The developers browser was simply rendering a normal Copilot response with nothing unusual visible. In the proof-of-concept and Mayraz successfully exfiltrated the actual source code of a private repository and extracted AWS keys all while the developer was simply going about their routine work.
To circumvent caching, attackers added ephemeral query parameters so that every request was fresh and no cached response was returned. They also exploited URL fragments which are handled browser-side and not in server logs to leak data without leaving a trace in any server-side logs.
Responsible Disclosure and GitHub Response
Mayraz responsibly reported this vulnerability to GitHub via HackerOne. GitHub’s security team took this report seriously and deployed a definitive fix on August 14, 2025. Image rendering in Copilot Chat was completely disabled. This was a drastic but effective decision. Rendering was stopped and eliminating the attack vector. The vulnerability was made public in October 2025 two months after the patch was released so the ecosystem would have time to adjust.
This vulnerability officially tracked as CVE-2025-59145 had a CVSS score of 9.6, a near perfect severity rating. And the reason is clear no authentication is required, no code execution and just submitting a pull request that looks legitimate was enough.
Beyond GitHub A Broader Risk
When BlackFog published a fresh analysis of this vulnerability in April 2026, their key message was that CamoLeak wasn’t an isolated incident, it was a pattern. Any AI assistant that processes untrusted content and also has access to sensitive data could be vulnerable to a similar attack. Microsoft 365 Copilot which scans enterprise emails, Google Gemini which can read shared workspace documents any AI tool that accepts external input while possessing a user’s private information, all fall into this threat model.
Prompt injection attacks directly challenge traditional security models. Old security models assumed that data is only lost when malicious code is run, a file is written, or a network connection is made. CamoLeak proved that in the era of AI, data can be lost even if the AI is simply helping and is spoken to in a specific way. No code, no executable just words.
How Developers Are Affected
If you’re a developer who uses GitHub Copilot Chat, the good news is that the August 2025 patch permanently closed this specific vulnerability. But the broader lesson is that treating AI tools as trusted and leaving them alone with your sensitive data is no longer a safe approach. Whenever an AI tool handles pull requests, issues or external content reviews and information from untrusted sources is there. And if the AI design takes that content out of context that content can become instructions.
Organizations should follow a least privilege model for AI assistants, granting access only to necessary repositories and data. Keep secrets in environment variables, not directly in code. And monitor the activity of AI tools and including when they read what and when they produced what output. This monitoring isn’t yet industry standard but it has become essential after the Camo leak.
GitHub Copilot is and will remain a great tool but this incident reminds us that the more access you give AI, the more thought you need to put into managing that access. Trust is earned not assumed.
