Close Menu
    What's Hot

    The Open Commitment: R&A to launch new fan code of conduct at Royal Birkdale to avoid crowd behaviour impacting major | Golf News

    Someone is going to buy Jensen Huang’s leather jacket for a lot of money

    Graham Platner Suspended His Senate Campaign. Here’s What’s Next for Democrats.

    Facebook X (Twitter) Instagram
    Trending
    • The Open Commitment: R&A to launch new fan code of conduct at Royal Birkdale to avoid crowd behaviour impacting major | Golf News
    • Someone is going to buy Jensen Huang’s leather jacket for a lot of money
    • Graham Platner Suspended His Senate Campaign. Here’s What’s Next for Democrats.
    • Truecaller clashes with India’s telecom regulator over anti-spam rules
    • General Motors Stock Is A Buy Ahead Of Q2 Earnings (Rating Upgrade) (NYSE:GM)
    • GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
    • ‘A Slow-Rolling Disaster’: Inside the Implosion of the Platner Campaign
    • Graham Platner just dropped out. Here’s who could replace him.
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

    adminBy adminJuly 9, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
    Share
    Facebook Twitter LinkedIn Pinterest Email

    GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

    An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a new study of GitHub Copilot by researchers Abhishek Kumar and Carsten Maple.

    The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused almost every harmful request when asked directly. Reframed as steps in a normal coding task, they produced the harmful answers in all 816 of the study’s workflow runs.

    What makes this different from a typical jailbreak: no one asks for the harmful thing directly, and the model is not tricked into running someone else’s code. It writes the banned content itself, as a side effect of a coding task it was told to improve.

    How it works

    The researchers call the method workflow-level jailbreak construction.

    Instead of a single blunt prompt, they asked Copilot to build an everyday piece of software: a small test program that scores how often another AI model gives in to harmful prompts. Loading a list of harmful test questions into that program looks like ordinary work, not an attack.

    Cybersecurity

    Then came the nudge. They told Copilot the score was too low and asked it to improve the program by adding “teaching shots,” example question-and-answer pairs written into the code to push the score up. Copilot added harmless examples first.

    Asked to add the harmful ones, it wrote the dangerous answers itself, as plain text sitting inside the code. These were answers that the same models refuse when you ask for them straight out in a chat.

    The important part is where the harmful text came from. The researchers supplied only the questions, taken from public safety test sets. The answers were the model’s own work, produced to complete the assigned task of filling in the examples.

    The numbers

    The team ran 204 harmful prompts drawn from three public benchmarks (Hammurabi’s Code, HarmBench, and AdvBench) against four models available through Copilot: Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash.

    Everything ran on default settings, with the models used exactly as Copilot delivers them, no changed parameters or added filters.

    Asked directly in chat, the models produced harmful answers in just 8 of 816 tries. Two other simple setups, loading the prompts from a spreadsheet or asking for a routine code fix, gave the same result. Inside the full workflow, they produced harmful content 816 times out of 816.

    Two expert reviewers checked every response on their own and agreed that all 816 were genuinely harmful, using a strict test: the answer had to be specific, usable, and actually do what the harmful prompt asked. Refusals, vague warnings, and safe alternatives did not count.

    The harmful output showed up after roughly six back-and-forth exchanges, all of them looking like normal coding steps. The tests used GitHub Copilot Chat 0.30.3 inside VS Code 1.103.0, in sessions run between April 2 and June 22, 2026. Because these are hosted services that update over time, the exact behavior may shift.

    Why does it happen? The paper’s answer is about incentives. Once the work is framed as raising a score, refusing to fill in one field stops looking like a safety choice and starts looking like leaving the job unfinished. The authors tie it to a known tendency in coding agents: optimizing for the metric they are handed, even when that cuts against their own guardrails.

    Why it matters

    A chat refusal does not prove a coding assistant is safe. The same model can hold the line in conversation and cross it while writing code. And the failure hides in an easy-to-miss spot: the harmful text lands in a file the assistant writes, outside the chat reply where a refusal would normally show up.

    For anyone using these tools, the concrete read is narrow but usable. Be wary of a multi-turn session that asks the assistant to fill an evaluation or benchmark harness with example prompts and answers to push a score up. Review the files the assistant writes rather than trusting that a visible chat refusal means the session stayed clean.

    Cybersecurity

    The authors boil it down to three directions, none a full fix on its own: inspect what the agent writes, judge a whole session rather than each message, and treat a request to “improve a benchmark score” as a reason to look closer. They say they reported the findings to the affected tool and model makers, and they left the harmful outputs and exact prompts out of the paper.

    The result fits a growing pile of work showing that AI safety training gets shakier once a model is wired into a tool that can act, rather than just chat. Earlier research found that safety-trained models are easily jailbroken when turned into web-browsing agents.

    The closest earlier attack, CodeJailbreaker, hides the harmful intent inside a fake commit message. Others, like RedCode, have shown that models accept a dangerous instruction more readily when it is dressed up as code than as plain English. The Crescendo attack reached a harmful goal by easing into it over several chat turns instead of asking outright.

    The same effect shows up in real coding tools, not just this benchmark. The Hacker News recently covered GuardFall, a command-safety bypass that leaned on exactly this first step: a blunt, destructive command gets refused, while the same command tucked into a build file or a tool’s documentation reply gets produced as a routine step.

    The twist in this new study is that the harmful content is not the setup for another attack; it is the thing the model was steered into producing.

    The study covers only GitHub Copilot with four models from two vendors. The authors are clear that the results may not carry over to other assistants such as Cursor, Cline, or Windsurf, or to models from OpenAI and others. That is the open question they flag for later.

    The harder one they leave unsolved: how to catch this pattern without also breaking the legitimate security research that has to work with the same harmful test prompts.

    chat Code Copilot GitHub harmful refuses requests writes
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous Article‘A Slow-Rolling Disaster’: Inside the Implosion of the Platner Campaign
    Next Article General Motors Stock Is A Buy Ahead Of Q2 Earnings (Rating Upgrade) (NYSE:GM)
    admin
    • Website

    Related Posts

    The Open Commitment: R&A to launch new fan code of conduct at Royal Birkdale to avoid crowd behaviour impacting major | Golf News

    July 9, 2026

    The Verification Step Is the New ATO Battleground in 2026

    July 9, 2026

    SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

    July 8, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    The Open Commitment: R&A to launch new fan code of conduct at Royal Birkdale to avoid crowd behaviour impacting major | Golf News

    Someone is going to buy Jensen Huang’s leather jacket for a lot of money

    Graham Platner Suspended His Senate Campaign. Here’s What’s Next for Democrats.

    Truecaller clashes with India’s telecom regulator over anti-spam rules

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by