Researchers Uncover Methods to Bypass GitHub Copilot's Security and Subscription Restrictions

Cybersecurity researchers have identified two new techniques to manipulate GitHub Copilot, allowing attackers to override security measures, evade subscription fees, and generate malicious outputs. These methods highlight fundamental vulnerabilities in large language models (LLMs) and their implementation within AI-powered coding assistants.

Exploiting Copilot’s "Helpful" Nature for Malicious Code Generation

The first technique exploits Copilot’s inclination to assist developers by embedding chat interactions directly within the code. According to Apex security researcher Fufu Shpigelman, Copilot processes everything within a code file, including text structured like a conversation.

For example, a developer can insert a chatbot-style prompt within their code, asking Copilot to write a keylogger. Initially, Copilot denies the request by outputting a safe response. However, the developer remains in control—they can simply delete Copilot’s refusal and manipulate its response by replacing it with an affirmative word like "Sure." This prompts Copilot to continue completing the sentence as if it had originally agreed to generate the malicious code.

By leveraging this method, attackers could use Copilot to create malware, generate dangerous instructional content (such as guides for engineering bioweapons), or even develop and distribute chatbots containing harmful AI behaviors.

Hijacking Copilot via Proxy to Access OpenAI Models for Free

The second technique involves intercepting Copilot’s traffic by modifying its settings to route requests through a proxy server. Apex researchers discovered that by altering the configuration parameter "github.copilot.advanced.debug.overrideProxyUrl," they could reroute Copilot’s communication with OpenAI’s API through their own server.

This man-in-the-middle attack enabled researchers to steal the authentication token Copilot uses to interact with cloud-based LLMs such as Claude, Google Gemini, and OpenAI models. Armed with this token, they gained full access to these AI models—without usage limits or subscription fees.

Additionally, they found that Copilot transmits a detailed system prompt along with the user's input, including historical interactions and response data. This information exposes the AI’s internal restrictions, which an attacker can modify mid-transit to remove safety constraints—effectively turning Copilot into an unrestricted AI system capable of generating harmful content beyond its intended coding functions.

The Inherent Vulnerability of LLM-Based AI Assistants

While GitHub disputes the classification of these methods as security vulnerabilities—labeling them instead as "off-topic chat responses" and "abuse issues"—the research underscores a broader issue: LLMs are inherently susceptible to manipulation.

According to Tomer Avni, co-founder and CPO of Apex, the key takeaway is not that GitHub fails to implement safeguards, but rather that LLMs can always be manipulated, no matter how many security measures are in place. He suggests the need for an independent security layer to detect and mitigate these kinds of AI exploitation techniques.

These findings serve as a stark reminder that AI-driven development tools require continuous security monitoring to prevent misuse, exploitation, and unauthorized access.