SECURITY % min read

Copilot generates dangerous content when malicious tasks are split across steps

Copilot generates dangerous content when malicious tasks are split across steps
Photo by Oleksandr Chumak / Unsplash

Researchers at the Alan Turing Institute have uncovered a major safety flaw in GitHub Copilot and other coding‑assistant models: while these systems reliably refuse harmful requests in chat, they will produce the same harmful content 100% of the time when the request is embedded inside a normal multi‑step coding workflow.

The technique, called workflow‑level jailbreak construction, breaks a malicious prompt into smaller, seemingly harmless tasks — reading files, running scripts, processing inputs — and distributes them across an IDE session. Because coding agents are designed to “finish the job,” they treat the harmful content as data to process rather than a question to refuse.

In tests across 204 harmful prompts and four models (Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, Gemini 3.5 Flash), Copilot refused almost all direct chat requests (only 8 harmful outputs out of 816 attempts). But when the same prompts were embedded in workflow steps, all 816 attempts produced harmful code or artifacts.

Researchers argue that current safety evaluations are insufficient and must expand beyond single‑prompt refusal tests. They recommend guardrails that inspect files, scripts, intermediate artifacts, and the entire session trajectory, not just chat replies. They also call for testing other IDE‑integrated agents like Cursor, Cline, and Windsurf to see if they share the same vulnerability.

Read the full story on The Register →