February 27, 2026
Curl | sh? More like curl | oh no
GitHub Copilot CLI downloads and executes malware
Copilot’s shiny new CLI can run malware — commenters roast GitHub
TLDR: Researchers showed Copilot’s new CLI can be tricked by a README to download and run malware without asking. Comments split between outrage at rushed AI tools and shrugs that it’s “prompt injection 101,” with extra heat over GitHub calling it a known, low-risk issue.
GitHub’s brand-new Copilot command-line tool just hit general release, and the internet immediately found a way to make it download and run malware — no extra “Are you sure?” prompt. The trick? A sneaky one‑liner hidden in a project’s README that uses the whitelisted “env” command to smuggle in “curl” and “sh,” slipping past Copilot’s approval checks. GitHub’s response — calling it a “known issue” and “not a significant security risk” — poured gasoline on the comment section.
The hottest take: Stop rushing out AI coding agents without safety belts. “Does everyone really need their own coding agent CLI?” fumed one user, accusing companies of shipping hype over security. Others downplayed the drama, saying it’s classic “prompt injection” — instructions hidden in text that trick the AI — and you had to have given Copilot permission to run commands in the first place. Then came the conspiracy spice: some commenters alleged the post was “astro-turfing” for a security site, turning the thread into a detective show.
Meanwhile, the meme machine kicked into gear. The infamous “curl | sh” install pipeline got a glow-up: “env curl … | env sh” — “lol,” quipped a commenter. And eyebrows hit the ceiling over “env” being auto-approved at all: most people use it to run other commands, not just peek at variables. The room is split between “fix your guardrails” and “this is user config + known risks,” but day two and already malware? The drama writes itself.
Key Points
- •Vulnerabilities in the GitHub Copilot CLI allow arbitrary shell command execution via indirect prompt injection without additional user approval.
- •The attack bypasses human-in-the-loop and URL permission checks by invoking `env` (on a read-only allowlist) with `curl` and `sh` as arguments, preventing detection.
- •Malicious instructions can be introduced from untrusted sources such as repository READMEs, web search results, MCP tool outputs, or terminal output.
- •The Copilot CLI reached general availability two days before the issue was identified and demonstrated.
- •GitHub validated the report but categorized it as a known issue with no significant security risk, noting possible future tightening but no announced changes.