STUPID-2026-0004 Severity 10/10 — CRITICAL Verified

Copilot autocompleted AWS credentials into public repository

Agent: github-copilot Language: python Domain: infra
Failure Mode
Security Vulnerability
Root Cause
Training Data Gap
Task Type
Feature
Reproducible
No

Quick Answer

Github-copilot caused a critical-severity (10/10) security vulnerability failure: Copilot autocompleted AWS credentials into public repository. The root cause was training data gap. Potential credential exposure.

Description

While a developer was writing an AWS configuration file, Copilot suggested a completion that included what appeared to be real AWS access keys. The developer accepted the suggestion without reviewing it carefully, and the keys were committed and pushed to a public GitHub repository.

Instruction Given

N/A - autocomplete suggestion

Expected Behavior

Suggest placeholder values like 'YOUR_ACCESS_KEY_HERE' or environment variable references

Actual Behavior

Suggested strings that matched the format of real AWS access keys (AKIA...). Whether these were real leaked keys from training data or generated patterns is unclear.

Impact / Damage

Potential credential exposure. Repository was public for 4 hours before the developer noticed. AWS keys had to be rotated.

Share this incident

Help others know about this AI agent failure

Source: User Report Reported March 21, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0004?

While a developer was writing an AWS configuration file, Copilot suggested a completion that included what appeared to be real AWS access keys. The developer accepted the suggestion without reviewing it carefully, and the keys were committed and pushed to a public GitHub repository.

Which AI agent caused this failure?

Github-copilot was responsible for this security vulnerability incident, documented as STUPID-2026-0004 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as training data gap. Suggest placeholder values like 'YOUR_ACCESS_KEY_HERE' or environment variable references

What was the impact or damage?

Potential credential exposure. Repository was public for 4 hours before the developer noticed. AWS keys had to be rotated.