A set of attack vectors in GitHub Codespaces have been uncovered that enable remote code execution (RCE) by opening a malicious repository or pull request.
The findings by Orca Security, show how default behaviours in the cloud-based development service can be abused to execute code, steal credentials and access sensitive resources without explicit user approval.
GitHub Codespaces provides developers with a cloud-hosted Visual Studio Code (VSC) environment that spins up in minutes. It automatically applies repository-defined configuration files to streamline development and collaboration. That convenience, however, also creates an attack surface when those files are controlled by an adversary.
How the Exploitation Works
The research outlines how Codespaces automatically respects several configuration files on startup or when a pull request is checked out.
By embedding malicious commands in these files, attackers can trigger execution as soon as the environment loads. The issue affects both newly created Codespaces and existing ones that switch branches or pull requests.
Read more on GitHub security: GhostAction Supply Chain Attack Compromises 3000+ Secrets
The Orca Security researchers identified three primary vectors that can be abused without additional user interaction:
- Automatic tasks triggered on folder open via .vscode/tasks.json
- Terminal environment manipulation through .vscode/settings.json
- Dev container lifecycle hooks defined in .devcontainer/devcontainer.json
Each vector allows arbitrary command execution, enabling exfiltration of environment variables, including GitHub authentication tokens and Codespaces secrets.
Potential Impact
Once obtained, a GitHub token can be used to read and write to repositories in the context of the victim user. In the case of a malicious pull request against a public project, this could allow an attacker to impersonate a trusted maintainer and introduce backdoored code.
The researchers also demonstrated how these techniques could be chained to move laterally within GitHub Enterprise environments and access hidden organisational data.
The study further showed that stolen tokens could be used with undocumented GitHub APIs to access premium Microsoft Copilot models on behalf of compromised users. This raises the risk of exposing sensitive internal information if enterprise knowledge bases are queried by an attacker.
Microsoft confirmed the behaviour and stated that it is by design, relying on trusted-repository controls and existing settings to limit abuse.
However, Orca Security argued that the findings highlight a broader issue: “while Microsoft considers this behavior by design, relying on trusted-repository and settings-sync controls to limit cross-environment impact, development environments must treat repository-supplied configurations with zero trust, as they remain a viable vector within the originating environment.”
