Intelligence
highVulnerabilityActive

Indirect Prompt Injection Threats in VS Code AI Assistants Enable Token Exfiltration and Code Execution

VS Code's AI chat features are vulnerable to indirect prompt injection attacks where malicious content in code files or documentation can poison conversations, leading to unauthorized exposure of GitHub tokens, sensitive files, and arbitrary code execution.

S
Sebastion

Affected

Microsoft VS CodeGitHub CopilotVS Code AI features

Vulnerability Overview

Microsoft and GitHub have identified a class of indirect prompt injection vulnerabilities affecting VS Code's integrated AI chat functionality. Unlike direct prompt injection, indirect attacks don't require user manipulation—attackers embed malicious instructions within source code, comments, documentation, or dependencies that VS Code processes. When users reference this content in chat conversations, the poisoned context flows to the AI model, which may execute unintended actions.

Technical Mechanism

The attack vector exploits VS Code's ability to provide code context to AI assistants. An attacker can craft specially formatted instructions within:

  • Inline code comments designed to be parsed as system prompts
  • README files or documentation files opened in the editor
  • Package dependencies or vendor files that get indexed by the assistant
  • Configuration files that VS Code monitors

When a user includes these files in their chat context (either explicitly or through automatic indexing), the AI model receives conflicting instructions and may prioritize the hidden directives over legitimate user intent, leading to token exposure or code execution without explicit consent.

Impact Assessment

This vulnerability is particularly dangerous because it requires no user social engineering. A developer cloning a compromised repository or opening a malicious pull request could trigger attacks automatically. The potential outcomes include: (1) exfiltration of GitHub personal access tokens stored in VS Code or the environment, (2) exposure of confidential source code or API keys embedded in files, and (3) execution of arbitrary commands through GitHub Actions, shell integration, or terminal execution features available to the AI.

Defender Recommendations

Developers using VS Code should: immediately upgrade to the latest version with prompt injection mitigations, audit AI chat history for suspicious outputs, rotate GitHub tokens as a precaution, and be cautious when opening untrusted repositories or pull requests. Organizations should implement policies restricting which files AI assistants can index (excluding .env, secrets, and vendor directories), use network-level token monitoring to detect unusual GitHub API access patterns, and train developers on prompt injection risks.

Broader Implications

This disclosure highlights a critical gap in AI safety practices—security models developed for traditional software don't apply to LLM-integrated tools. As IDEs increasingly embed AI assistants that have access to sensitive execution contexts (terminals, version control, build systems), the assumption that user intent alone drives software behavior breaks down. The industry must develop standardized controls for AI context, implement strict sandboxing of AI-generated commands, and establish security baselines for AI integration in developer tools before widespread adoption normalizes these risks.

Sources

vs-codeprompt-injectionai-safetygithub-copilotindirect-injectiontoken-exfiltrationcode-execution
Back to intelligence