Copilot Chat prompt injection via filename, documented by Tenable, shows how adversaries can weaponize repository contents to steer AI coding assistants toward unsafe actions and data exfiltration. In the tested scenario, a specially crafted filename contains instructions directed at any GitHub Copilot or similar AI assistant that reads it. When Copilot Chat in Agent mode processes that file within Visual Studio Code, it appends the filename text to the user prompt and may obediently follow the embedded instructions, such as advising the user to run a setup.py script without a virtual environment. Copilot Chat prompt injection via filename becomes more dangerous when combined with malicious project files. Tenable’s proof-of-concept includes a setup.py script that reads sensitive system files, like SystemVersion.plist on macOS, and sends their contents to a remote webhook. Because Agent mode often executes a series of actions with user approval, developers rapidly clicking “yes” to routine suggestions may unknowingly authorize data exfiltration or environment modifications. Additional tests showed that even without a helper script, attackers could instruct the agent to perform HTTP requests or use tools like curl or internal browsers to contact attacker-controlled endpoints, turning normal repository operations into covert command channels. Copilot Chat prompt injection via filename underscores the need to treat AI-assisted development environments as part of the supply chain threat surface. Organizations should harden policies around untrusted repositories, restrict agent capabilities in high-sensitivity projects, and educate developers about prompt injection risks embedded in filenames, comments, and documentation. Security teams can reduce exposure by limiting automatic tool execution, monitoring outbound connections initiated from development hosts, and integrating AI-specific code review and telemetry into existing secure development life cycle processes.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: Copilot Chat prompt injection via filename turns seemingly benign repository artifacts into levers for code execution, configuration tampering, and sensitive data exfiltration from developer workstations. For enterprises that rely heavily on AI-assisted coding, this introduces a new class of supply chain risk where compromised repos can silently manipulate developer workflows and pipeline security. Technical Context: The issue stems from the way Copilot Chat Agent mode incorporates filenames and file contents into prompts without robust guardrails against adversarial instructions. When combined with plausible project scripts, the injected prompts can convince agents and humans to execute malicious code or contact attacker infrastructure, blurring the boundaries between trusted automation, developer intent, and hostile repository modifications.
⚡Strategic Intelligence Guidance
- Define policies for AI-assisted development that limit the use of Copilot Chat Agent mode on untrusted or externally sourced repositories, especially for high-sensitivity projects.
- Configure development environments to require explicit, informed approval for any agent-suggested command execution, and discourage blanket acceptance of automated suggestions.
- Monitor outbound network activity from developer machines and CI runners for unusual connections to webhooks or domains introduced via recent repository changes.
- Incorporate prompt injection scenarios into secure development training, highlighting how filenames, comments, and documentation can silently influence AI assistants’ behavior.
Vendors
GitHubCopilot ChatTenable
Threats
Prompt injectionRepository supply chain attack
Targets
Software developersCI/CD environmentsAI-assisted coding workflows