CamoLeak: Copilot Chat Exfiltration via GitHub Camo Proxy

GitHub Copilot Chat was quietly turned into an exfiltration channel by a newly disclosed flaw, dubbed CamoLeak, that let attackers hide prompts in pull requests and smuggle private data out of repositories using GitHub’s own image proxy — a potent reminder that integrating AI into development workflows increases the attack surface in surprising ways.

Background​

GitHub’s Copilot Chat is designed to be context-aware: when a developer asks a question, the assistant reads repository context (files, commits, PRs, issues) and answers using the permissions of the calling user. That capability is what makes Copilot useful — and also what makes it dangerous when untrusted content is admitted into the context stream. Legit Security researcher Omer Mayraz disclosed a prompt-injection chain that abused invisible markdown comments in pull requests and then leveraged the platform’s Camo image proxy to circumvent Content Security Policy (CSP) protections and exfiltrate secrets and snippets from private repos.
This isn’t the first time AI assistants tied to developer tooling have exposed unexpected data leakage risks. Earlier investigations showed Copilot and other assistants can surface content that was briefly public but later made private, due to cached indexes and legacy data retention behaviors — a “zombie data” problem that amplified concerns about AI-driven retrieval of stale or unintended content.

What happened (high-level summary)​

• A researcher embedded a hidden prompt in a pull request using GitHub’s invisible comment feature. Copilot Chat ingested that hidden content when building context for a later user’s query.
• The hidden prompt instructed Copilot to search for secrets and then to encode those secrets as a sequence of tiny images. Because GitHub proxies external images through camo.githubusercontent.com (Camo), those image fetches would appear to come from a trusted origin, bypassing CSP restrictions.
• The attacker pre-generated a dictionary mapping characters (ASCII/hex) to signed Camo URLs that returned a 1×1 transparent pixel and then had Copilot “draw” the secret as an ordered sequence of those pixels. Each request to a distinct Camo URL leaked one character; by observing incoming requests on the attacker-controlled end, the exfiltrated string could be reconstructed.
• GitHub mitigated the vector by disabling image rendering in Copilot Chat and blocking the use of the Camo proxy for chat-rendered content; the company rolled out that change in mid‑August as part of the initial remediation.

Technical breakdown​

Remote prompt injection via invisible comments​

GitHub supports “invisible comments” in PRs and issues: content hidden from the standard UI but present in the raw markdown. Copilot Chat draws on the full page context (including metadata and hidden blocks) when generating responses, which meant an attacker could hide arbitrarily complex instructions that humans would not see. When a downstream developer asked Copilot to summarize or explain a PR, Copilot would honor the injected instructions because they were part of the context it had ingested. This remote prompt injection is particularly pernicious because:

• It requires no direct interaction from the victim beyond opening or querying the PR.
• The prompt is invisible to reviewers, so the social/visual checks that normally stop malicious content don’t apply.
• Copilot executes under the caller’s permissions, so the assistant can read private files the user can access and then act on that data.

CSP bypass using Camo image proxy​

Content Security Policy is designed to prevent untrusted content from sending data to attacker-controlled hosts. GitHub protects external images by proxying them through its Camo service at camo.githubusercontent.com and signing proxied URLs. That design was intended to prevent data exfiltration via arbitrary image requests.
The CamoLeak exploit turned the proxy into a covert channel. The attacker:

• Precomputed the set of signed Camo URLs that map to 1×1 pixels hosted on the attacker’s server (or arranged equivalents), effectively building a lexicon where each character corresponds to a valid signed Camo URL.
• Instructed Copilot (via the hidden prompt) to read secret strings, encode them (for example as base16 or ASCII), and then render those characters by emitting the corresponding image URLs into the chat or markdown the assistant would render. Because these were legitimate Camo URLs, the CSP allowed the browser to fetch them.
• Recorded the order of incoming requests for those Camo URLs on the attacker's server (or inferred mapping from query parameters), reconstructing the exfiltrated text without ever directly transmitting sensitive characters to an external domain from the victim’s perspective.

This technique cleverly combines model manipulation (prompt injection) with infrastructure abuse (Camo proxy lexicon), producing a low-noise, highly targeted exfiltration channel that is easy to miss during routine monitoring.

Why Copilot’s permission model matters​

Because Copilot answers with the authority of the calling user, it can access private organization repositories the user already has access to. The attack did not escalate permissions; it leveraged the legitimate access of an authenticated user. That means typical server-side egress filtering and network detection — which often look for outbound calls to suspicious domains — may not detect the exfiltration, since requests are proxied through GitHub’s trusted infrastructure.

Timeline and disclosure​

• Discovery: According to the primary disclosure, the vulnerability was discovered in June 2025 by Omer Mayraz of Legit Security.
• Responsible disclosure: The issue was reported via HackerOne and coordinated with GitHub.
• Initial mitigation: GitHub disabled image rendering inside Copilot Chat to neutralize the Camo-based exfiltration channel and blocked Camo usage for chat-rendered content on August 14, 2025.
• Public reporting: Technical writeups and PoCs were published or re-reported in October 2025, bringing broader attention to the technique.

Confirmed impact and scope​

Public writeups and the original researcher’s disclosure demonstrated proof-of-concept exfiltration of short artifacts such as API keys, tokens, and even a short description of a privately stored vulnerability note — the kinds of small but high‑value items attackers prize. Multiple independent outlets reproduced the technique’s explanation and timeline, and the vulnerability was widely reported with a high severity score (CVSS 9.6 in the disclosed advisories).
Caveat: several secondary sources reference a CVE identifier (CVE-2025-59145) and CVSS numeric values; however, readers should treat specific CVE assignments and exact severity numbers as subject to authoritative verification (for example, official NVD/CVE entries or vendor advisories) because not all aggregators present consistent or fully validated CVE metadata at disclosure time. Where official registry entries are available, they should be consulted for the canonical identifier and score.

Why this is particularly risky for enterprises​

• Targeted, low-volume exfiltration: The attack is optimized for short, sensitive strings (keys, tokens, short files), which are often the highest-value artifacts and most likely to be reused. Exfiltrating a single API key can cascade into cloud compromise.
• Trusted-channel abuse: Because GitHub’s own infrastructure (Camo proxy) is used as the egress mechanism, standard detection rules that flag external-host requests will likely miss the pattern.
• Invisible attack surface: The trigger lives in hidden comments or other metadata that humans don’t ordinarily review, so code review processes, static analysis, and many DLP tools may not see the threat vector at all.
• Supply-chain and vulnerability disclosure risk: The PoC demonstrated the extraction of unpublished vulnerability details from private issues — information attackers could weaponize against other targets or the same organization.

Practical mitigations — what teams should do now​

Organizations should adopt a layered strategy to reduce both the likelihood and impact of similar attacks:

• Limit Copilot access and privileges
• Disable Copilot Chat for sensitive teams or repos until controls are validated.
• Apply the principle of least privilege to who can run Copilot or view PRs with chat enabled.
• Sanitize and monitor repository content and PR metadata
• Detect and strip invisible or control characters and hidden comment blocks in PRs/issues during pre‑merge checks.
• Flag PRs that include dense or unusual image link patterns, Camo URLs, or long sequences of identical 1×1 images.
• Harden platform-side rendering and CSP handling (vendor action)
• Ensure AI chat renderers treat all user-supplied markdown as untrusted and do not auto-render images or external resources inside assistant UI without explicit, privileged approval.
• Avoid using platform proxies in a manner that creates an observable mapping between signed proxied URLs and attacker-controlled hosts; rotate and validate signatures more frequently and bind requests to stricter referer/origin checks.
• Instrument and log Copilot activity
• Retain audit logs for Copilot prompts, the contextual text provided to the model, and any rendered outputs so incidents can be reconstructed.
• Alert on anomalous Copilot responses that contain long non-code sequences (e.g., long lists of image URLs, encoded strings, or repetitive tokens).
• Rotate and treat as compromised any exposed credentials
• Where there’s any doubt that keys or tokens were present in PRs or repos during exposure windows, rotate the credentials and review IAM policies for overprivileged tokens.
• Use enterprise-grade data protection for AI workflows
• Deploy DLP and content classification at the prompt layer: block or redact regulated data (PII, secrets) before it is sent to any AI model, even internal assistants.
• Where available, enable enterprise data protection and tenant-level isolation features offered by the AI vendor (for example, enforced no-training clauses, DKE, and strict logging).

Detection and incident response checklist​

• Identify affected tenants and repos: search for PRs/issues containing invisible markdown blocks, unusual image markdown, or references to camo.githubusercontent.com.
• Pull Copilot logs (prompts and responses) for sessions that touched those PRs and review for encoded patterns or sequences of image URLs.
• Scan repository history for exposed secrets and rotate any tokens/keys found.
• Revoke or re-issue compromised credentials and update downstream consumers.
• Notify stakeholders and, where appropriate, file incident reports with affected vendors and regulators per compliance requirements.

Broader implications: AI + platform trust​

CamoLeak is a textbook example of compositional risk: two individually reasonable features (context-aware AI and a secure image proxy) combine to produce a novel attack vector. The incident surfaces several systemic lessons:

• Treat AI context as untrusted input: Any context that can influence model outputs must be filtered, validated, and treated with the same skepticism as user-submitted code or third-party content.
• Vendor responsibility and transparency: Platform vendors must publish clear guarantees around what model contexts are allowed to access and how rendering primitives (like images) are processed inside assistant UIs. Even well-intentioned proxies can become covert channels.
• Governance and training: Enterprises must incorporate prompt hygiene and AI‑specific DLP into secure development life cycles, and train developers to avoid pasting secrets into chats or PR fields.

Strengths and limitations of the disclosure​

Strengths:

• The discovery is practical and demonstrated with proof‑of‑concepts that target precisely the most dangerous class of artifacts (API keys, tokens, unpublished vulnerabilities). That clarity helped prompt a direct mitigation (disabling image rendering).
• The attack chain is instructive about how seemingly benign UI features (invisible comments, image proxies) can be abused when model context is trusted.

Limitations and caveats:

• The exploit’s throughput is low: it is optimized for targeted string exfiltration rather than bulk data theft. That reduces blast radius but increases stealth and value to attackers.
• Some metadata around CVE assignments and numerical severity reporting varied across aggregators at the time of public reporting; official registries may lag vendor or researcher writeups, so practitioners should check authoritative CVE/NVD entries where precision is required.

Final analysis and outlook​

CamoLeak is an important, technically elegant demonstration of how AI assistants embedded into developer workflows can be tricked into doing an attacker’s bidding — and how trusted platform components can be repurposed to hide that activity. The fix GitHub applied (disabling image rendering in Copilot Chat) is an appropriate emergency mitigation, but it underlines a deeper need: AI features that ingest contextual content must be engineered with the assumption that any ingested material could be malicious. That means:

• stricter separation of assistant context from privileged artifacts,
• explicit, auditable sanitization of all UI-provided context, and
• better tenant-level controls and observability around model inputs and outputs.

For enterprise security teams, the immediate priorities are clear: audit Copilot Chat usage and permissions, hunt PRs and issues for hidden or suspicious content, rotate any credentials of concern, and work with platform vendors to ensure enterprise-grade mitigations are in place. Over the medium term, security leaders should incorporate AI-specific threat modeling into SDLC processes and DLP controls so AI assistants remain productivity enablers — not invisible attackers’ allies.

---

CamoLeak is not merely a single bug; it is a wake‑up call about the emergent threats that appear when AI models, developer platforms, and web-rendering infrastructures are composed without adversarial thinking. Organizations that treat AI as a first-class security boundary — not merely a helpful autocomplete — will be the ones best prepared for the next wave of attacks.

---

Source: Petri IT Knowledgebase GitHub Copilot Chat Hit by ‘CamoLeak’ Flaw Exposing User Data