Agent Security Incidents

2026-01-14/Microsoft Copilot Personalhigh

Attack Vector

Abuses the URL `q` parameter for prompt injection, then uses double-request and chained-request techniques to bypass first-pass guardrails.

Impact

Could expose personal data, chat memory, and other data reachable in later interactions, while making the full exfiltration chain hard to spot client-side.

Response

The write-up recommends treating URLs and external inputs as untrusted and ensuring protections apply to follow-up actions, not only the first request.

Source

Varonis Threat Labs

2025-08-27/Clinehigh

2025-08-26/AWS Kirocritical

2025-08-12/GitHub Copilot / VS Codecritical

2025-06-11/Microsoft 365 Copilotcritical

Recent Agent Security Timeline

Reprompt: single-click data theft path disclosed for Microsoft Copilot Personal

Cline data exfiltration risk disclosed via Markdown image rendering

AWS Kiro arbitrary command execution disclosed via indirect prompt injection

GitHub Copilot Agent Mode remote code execution disclosed

EchoLeak: zero-click data exfiltration chain disclosed for Microsoft 365 Copilot