AI-CLAUDECODE-SOURCEMAP-2026

Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.

ShadowLeak is a server-side zero-click indirect prompt-injection attack against ChatGPT's Deep Research agent, discovered by Radware. An attacker emails the victim a message with instructions hidden in the HTML using white-on-white text and tiny fonts; when the user runs Deep Research over their inbox, the agent autonomously follows the hidden instructions and exfiltrates personal and inbox data. The distinguishing trait is that exfiltration occurs entirely server-side within OpenAI's cloud infrastructure, making it invisible to local and enterprise network defenses. The Gmail proof of concept generalizes to any Deep Research connector; OpenAI fixed it before public disclosure with no evidence of in-the-wild exploitation.

The Tea women's-safety app left a Google Firebase Storage bucket publicly accessible with no authentication and directory listing enabled, exposing roughly 72,000 images including about 13,000 verification selfies and government IDs (driver's licenses, passports) and about 59,000 images from posts and messages; a separate exposed datastore leaked over 1 million private user messages. The stolen data was dumped on 4chan, fueling doxxing and harassment. Analysis showed hallmarks of rapidly built apps, including hardcoded API keys and client tokens in the source and an unsecured legacy storage system retained after a 2024 migration.

Marco Figueroa of Mozilla's 0DIN program documented a Gemini for Workspace flaw where an attacker hides instructions inside an email using tags styled with font-size zero or white-on-white text, invisible to the recipient. When the user clicks Summarize this email, Gemini processes the raw HTML and treats the hidden directive as a high-priority instruction, appending an attacker-crafted fake security warning, such as a fake support phone number, that appears to come from Google. No links or attachments are required, enabling credential harvesting and vishing at scale through indirect prompt injection.

Noma Security discovered AgentSmith, a flaw in the public LangSmith Prompt Hub where an attacker uploads a malicious AI agent with a pre-configured proxy server baked into its settings. When a victim adopts and runs the shared agent, all traffic including OpenAI API keys, prompts, uploaded documents, images and voice inputs is silently routed through the attacker's proxy, enabling exfiltration of API keys, theft of data and man-in-the-middle manipulation of downstream LLM responses. LangChain confirmed and fixed the issue in November 2024; scope was limited to the public Prompt Hub sharing feature and there was no evidence of in-the-wild exploitation.

EchoLeak is a zero-click indirect prompt-injection vulnerability in Microsoft 365 Copilot discovered by Aim Labs (Aim Security). A single crafted email containing hidden instructions causes Copilot to read and exfiltrate internal organizational data such as chat history, OneDrive files, SharePoint content and Teams messages with no user interaction. The exploit chained several bypasses: evading Microsoft's XPIA prompt-injection classifier, circumventing link redaction with reference-style Markdown, abusing auto-fetched images, and using a Microsoft Teams proxy permitted by the content security policy to exfiltrate data. Aim Labs named the underlying class an LLM Scope Violation, where untrusted external input manipulates the model into crossing its trust boundary and leaking privileged data.