STUPID-2026-0004 Severity 10.0/10 — CRITICAL Verified

Copilot autocompleted AWS credentials into public repository

Agent: github-copilot Language: python Domain: infra

Failure Mode

Security Vulnerability

Root Cause

Training Data Gap

Task Type

Feature

Reproducible

Description

While a developer was writing an AWS configuration file, Copilot suggested a completion that included what appeared to be real AWS access keys. The developer accepted the suggestion without reviewing it carefully, and the keys were committed and pushed to a public GitHub repository.

Instruction Given

N/A - autocomplete suggestion

Expected Behavior

Suggest placeholder values like 'YOUR_ACCESS_KEY_HERE' or environment variable references

Actual Behavior

Suggested strings that matched the format of real AWS access keys (AKIA...). Whether these were real leaked keys from training data or generated patterns is unclear.

Impact / Damage

Potential credential exposure. Repository was public for 4 hours before the developer noticed. AWS keys had to be rotated.

Share this incident

Help others know about this AI agent failure

Post on X LinkedIn Reddit

Source: User Report Reported March 21, 2026