Tools

Tools: Powerful Github Copilot Cli Downloads And Executes Malware

2026-02-27 0 views admin
Tools: Powerful Github Copilot Cli Downloads And Executes Malware

Vulnerabilities in the GitHub Copilot CLI expose users to the risk of arbitrary shell command execution via indirect prompt injection without any user approval. We demonstrate that malware can be downloaded from external servers and executed with no user interaction beyond the initial query to the Copilot CLI.

GitHub responded quickly, “We have reviewed your report and validated your findings. After internally assessing the finding, we have determined that it is a known issue that does not present a significant security risk. We may make this functionality more strict in the future, but we don't have anything to announce right now. As a result, this is not eligible.”

GitHub Copilot has released a new CLI, which went into general availability two days ago. Upon release, vulnerabilities were identified that bypass the command validation system to achieve remote code execution via indirect prompt injection with no user approval.

Copilot leverages a human-in-the-loop approval system to ensure users must provide consent before potentially harmful commands are executed by the agent. A warning shown when opening Copilot explicitly states, “With your permission, Copilot may execute code or bash commands in this folder.”

The user has explicitly configured the command to execute automatically or

The command is part of a hard-coded ‘read-only’ list found in the source code (commands on this list do not trigger approval requirements).

Copilot also has an external URL access check that requires user approval when commands like curl, wget, or Copilot’s built-in web-fetch tool request access to external domains [1].

This article demonstrates how attackers can craft malicious commands that go entirely undetected by the validator - executing immediately on the victim’s computer with no human-in-the-loop approval whatsoever.

Here, the user is exploring an open-source repository that they just cloned, and they ask Copilot for help with the codebase.

The injection is stored in a README file from the cloned repository, which is an untrusted codebase. In practice, the malicious instruction can be introduced to the agent in many ways, such as via a web search result, an MCP tool call result, a terminal command output, and many other vectors.

Source: HackerNews

🏷️ Tags

githubtooldownloadappcli

More from Tools

Tools: Why Stripe's API is the Gold Standard: Design Patterns That Every API Builder Should Steal

Tools: Why Stripe's API is the Gold Standard: Design Patterns That Every API Builder Should Steal

2026-02-28 0
Tools: Preference Falsification: Why People Hide Their True Opinions

Tools: Preference Falsification: Why People Hide Their True Opinions

2026-02-28 0
Tools: The Normalization of Deviance: How Acceptable Risk Creeps Upward

Tools: The Normalization of Deviance: How Acceptable Risk Creeps Upward

2026-02-28 0
Tools: When Past Team Failures Become Your Team's Problem

Tools: When Past Team Failures Become Your Team's Problem

2026-02-28 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views