CamoLeak: GitHub Copilot Chat Exfiltrates Private Source Code via Hidden Markdown Instructions
Hidden markdown instructions in pull requests caused GitHub Copilot Chat to exfiltrate private source code and secrets to attacker-controlled servers.
What happened
CamoLeak (CVE-2025-59145) was a critical vulnerability in GitHub Copilot Chat disclosed by Legit Security in October 2025. Invisible markdown instructions embedded in pull requests or issues instructed Copilot Chat to read private source code and secrets, then exfiltrate them via approximately 100 image requests to attacker-controlled URLs served through GitHub's Camo image proxy. This bypassed the Content Security Policy that would have blocked direct external requests. GitHub mitigated the vulnerability by disabling image rendering in Copilot Chat in August 2025, before the public disclosure in October 2025.
What the agent did
GitHub Copilot Chat made outbound HTTP requests to attacker-controlled image URLs, exfiltrating private source code and secrets it had previously read from the compromised repository.
The irreversible effect
Private source code and application secrets were transmitted to attacker-controlled servers, granting unauthorized actors access to sensitive intellectual property and credentials.
Root cause
GitHub Copilot Chat lacked critical governance controls: it accepted and executed instructions directly from untrusted input (hidden markdown in pull requests) without requiring human approval for high-risk actions. The agent had no segregation of duties, no approval gates for sensitive operations like reading secrets or making external requests, and no deny-by-default restrictions on outbound communication channels. The Camo proxy CSP bypass provided an additional weakness in the exfiltration mechanism.
How a maker-checker control would have refused it
MakerChecker blocks this incident with two complementary controls: (1) Deny-by-default skill grants: the outbound-fetch skill is never granted to the Copilot role, so when the injected instruction attempts to call it, the proxy refuses with 'skill_not_granted', permanently closing the exfiltration channel. (2) High-risk approval gate: the secrets-read skill is marked high-risk, and the proxy categorically refuses it with 'high_risk_requires_gate', requiring execution only within a governed flow behind a preceding approval gate where a named reviewer authorizes which secrets are read and why.
Runnable reproduction
This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.
examples/camoleak-github-copilot-chat-source-code-exfiltration
Accuracy and corrections
This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.
See it for yourself
Reading is one thing. Watch it block an agent.
One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.
Designed against the rules your auditors already enforce.