CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

CamoLeak showed how Copilot Chat context could expose private repositories and secrets, making data-egress authorization necessary for AI assistants.

GitHub Copilot ChatCredential exposurePrivate repo and secret exfiltrationGitHub private repositories / Copilot Chat context

What happened

Researchers reported that a GitHub Copilot Chat vulnerability could allow prompt-injection-driven exfiltration of private source code and secrets.

Why it matters

Reports describe exposure risk for source code, API keys, tokens, and other secrets from private repositories through the assistant's inherited access.

Missing authorization check

Reading private repository context and sending data to an external destination should have required explicit, auditable approval tied to the destination and data class.

Would PP block it?

The missing control is not merge authorization. It is a receipt for sensitive repo access and outbound disclosure from an AI assistant context.

Incident analysis

Timeline and technical read

Timeline

2025-10-08
Security coverage described CamoLeak as a Copilot Chat data-exfiltration flaw.
Report coverage
Reports focused on private source code, tokens, and secrets exposed through assistant context.
Permission boundary
The authorization check belongs before sensitive repo context is retrieved or sent to an external destination.

Technical breakdown

The risky boundary is assistant data access and egress, not a deploy action.
Prompt injection can turn a helpful assistant into a data-transfer path when repo context is available.
A receipt should name the data class, destination, and user approval before outbound disclosure.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Assistant retrieval, secret read, external data egress
Still needs: Prompt-injection paths inside assistant UI context
Receipt required for: Private repo read, secret exposure, external data transfer

Would block if assistant data egress or repo-secret reads were routed through a tool gate; a deploy-only PR gate would not cover chat context leaks.

Related incidents and controls

Critical2026-04-19

App Host Vercel Says It Was Hacked and Customer Data Stolen

High2026-03-30

OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

Review Credential Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop