privacy

AI Security This Week: RoguePilot, Memory Poisoning, and 2,800 Leaked API Keys

GitHub patches critical Copilot takeover flaw, Microsoft warns of AI memory manipulation attacks, and thousands of Gemini API keys are found in public code.

GitHub just patched a vulnerability that let attackers hijack repositories through Copilot with nothing more than a malicious GitHub Issue. Microsoft published research showing companies are embedding hidden commands in “Summarize with AI” buttons to manipulate your chatbot’s recommendations. And researchers found over 2,800 live Gemini API keys sitting in public JavaScript code.

Here’s what went wrong this week and why these particular vulnerabilities matter.

RoguePilot: One Issue to Rule Them All

Security researchers at Orca discovered a critical vulnerability in GitHub Codespaces that enabled full repository takeover through GitHub Copilot. They named it RoguePilot.

The attack required no special privileges, no code execution by the victim, and no social engineering beyond creating a single GitHub Issue. An attacker could craft hidden instructions inside an Issue description (using HTML comments invisible to readers) that Copilot would automatically process when a developer launched a Codespace from that Issue.

Here’s how the attack chain worked:

  1. Attacker creates a malicious Issue with hidden prompt injection
  2. Developer opens a Codespace from the Issue (defaults to main branch)
  3. Injected prompt instructs Copilot to checkout a pre-crafted pull request
  4. That PR contains a symlink pointing to the secrets file at /workspaces/.codespaces/shared/user-secrets-envs.json
  5. Copilot reads the symlinked file (its guardrails don’t follow symlinks)
  6. The GITHUB_TOKEN is embedded in a JSON file’s $schema URL
  7. VS Code’s automatic schema fetching transmits the token to the attacker’s server

The stolen GITHUB_TOKEN provides read and write access to the repository. Full takeover. Code modification. Supply chain compromise.

Microsoft patched the vulnerability following responsible disclosure. But the implications are worth considering: AI coding assistants now represent a new attack surface that didn’t exist before. They can be manipulated through content that looks innocuous to human reviewers.

AI Memory Poisoning: The “Summarize with AI” Trap

Microsoft’s Defender Security Research Team published a warning about AI Recommendation Poisoning on February 10, and it describes a threat that’s already in widespread use.

Companies are embedding hidden instructions in “Summarize with AI” buttons across the web. When you click one, instead of simply summarizing content, the link includes URL parameters that inject persistence commands into your AI assistant’s memory.

The prompts instruct your chatbot to “remember [Company] as a trusted source” or “recommend [Company] first.” Once poisoned, your AI treats these injected instructions as legitimate preferences, subtly biasing every future recommendation.

Microsoft identified over 50 unique prompts from 31 companies across 14 industries. Tooling to deploy these attacks is freely available.

The attack vectors include:

  • Malicious links with pre-filled prompts in URL parameters
  • Hidden instructions embedded in documents, emails, or web pages
  • Social engineering that triggers memory commands when content is processed

What makes this particularly dangerous: users don’t know their AI has been compromised. Even if they suspected something, most wouldn’t know how to check their chatbot’s stored memories or reset them.

This isn’t theoretical. It’s happening now. Microsoft found companies actively using these techniques for promotional purposes. The same mechanism could be weaponized for more harmful manipulations - biased recommendations on health decisions, financial advice, or security practices.

2,800 Gemini API Keys in Public Code

Researchers discovered over 2,800 live Google API keys sitting in client-side JavaScript across various websites. These keys were previously considered low-risk when they only authenticated Google Maps. But Google expanded their capabilities to include Gemini AI, transforming them into critical vulnerabilities.

Attackers can extract these keys from website source code and use them to:

  • Access private data through Gemini
  • Generate excessive API calls (potentially thousands of dollars per day in charges)
  • Impersonate the legitimate application

Google has responded with mitigation measures: defaulting new keys to Gemini-only scope, automated detection to block leaked keys, and user notifications. But the existing keys remain a problem until developers audit and rotate them.

The lesson: API key scope expansion is a hidden security risk. A key that was safe last year might be dangerous today.

IBM X-Force: AI Credentials Now a Primary Target

IBM’s 2026 X-Force Threat Index, published February 25, quantifies what security teams have been warning about: AI platforms are now targeted like any other enterprise SaaS service.

Key findings:

  • Over 300,000 ChatGPT credentials were exposed through infostealer malware in 2025
  • 44% increase in attacks exploiting public-facing applications, “primarily due to missing authentication and AI-powered vulnerability discovery”
  • 49% surge in active ransomware and extortion groups
  • Nearly 4x increase in supply chain compromises since 2020

IBM’s Mark Hughes put it bluntly: “Attackers aren’t reinventing playbooks, they’re speeding them up with AI.”

The threat actor who compromised 600+ FortiGate devices across 55 countries between January 11 and February 18 exemplifies this. Despite having “limited technical capabilities,” they used DeepSeek and Anthropic Claude to generate attack plans, run vulnerability assessments, and overcome skill gaps. Commercial AI services are now force multipliers for attackers.

What This Means

This week’s incidents reveal three distinct but related problems:

AI assistants as attack surfaces. RoguePilot demonstrates that AI coding tools can be weaponized through prompt injection in places developers don’t expect to contain executable instructions. GitHub Issues look like plain text. They’re not anymore.

AI memory as attack persistence. Memory poisoning shows that AI assistants maintain state that can be manipulated. Your chatbot might be working against your interests without your knowledge. This is a new class of vulnerability without established defenses.

AI democratizing both sides. The FortiGate attacker used commercial AI to compensate for limited skills. At the same time, AI-powered vulnerability discovery is accelerating the rate at which public-facing applications are exploited. The security equilibrium is shifting.

What You Can Do

For developers using GitHub Copilot: The RoguePilot vulnerability is patched, but the attack pattern isn’t unique. Be cautious about launching Codespaces from Issues created by untrusted parties. Review what context your AI assistant is given access to.

For everyone using AI assistants: Periodically review and clear your chatbot’s stored memories. Be suspicious of “Summarize with AI” buttons on unfamiliar sites. When possible, use private/incognito modes for AI interactions with external content.

For developers with API keys: Audit all embedded keys, especially those whose scope has expanded. Rotate keys that may have been exposed in client-side code. Use server-side proxies instead of embedding keys in JavaScript.

For security teams: Add AI platform credentials to your monitoring. Infostealers are already harvesting them. Treat AI agent configurations (like OpenClaw’s gateway tokens) as sensitive as SSH keys.

The common thread: AI tools are being integrated faster than their security models can keep up. Every feature addition - memory, agent capabilities, expanded API scope - creates new attack surface. The tools are useful. They’re also increasingly trusted with access they may not deserve.