A computer monitor showing lines of code on a dark background

TL;DR: Researchers at the Alan Turing Institute published an arXiv paper on July 4, 2026 showing that GitHub Copilot’s chat-mode safety refusals collapse to a 0% hit rate once the same harmful prompts are smuggled into multi-step IDE workflows. Across 204 prompts and 816 trials on Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash, the direct chat refused every prompt except 8 of 816 (about 1%). Wrap the same prompts inside an ordinary coding session and the models answered all 816 of 816 (100%). The fix isn’t a better chat filter. It’s evaluating the entire agent trajectory.

How the Test Worked

Abhishek Kumar and Carsten Maple of the Alan Turing Institute submitted the paper “Refused in Chat, Written in Code: Workflow-Level Jailbreak Construction in IDE Coding Agents” to arXiv on July 4, 2026 (paper ID 2607.03968) [1][2].

The test target was GitHub Copilot running inside Visual Studio Code. The four closed-weight model backends were Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash [1][2].

The researchers drew 204 harmful prompts from three standard red-team benchmarks: Hammurabi’s Code, HarmBench, and AdvBench [1][2].

Direct chat failed the safety test almost never. In each of three baseline conditions (direct chat, CSV-read, single-step code-fix) the models produced 8 of 816 successful unsafe responses, a “near-complete refusal” rate. The same prompts wrapped inside a normal multi-step IDE workflow produced 816 of 816 unsafe responses (100%) [1][2].

Two expert evaluators confirmed each completion against a strict rubric before the researchers counted it as a successful bypass [1].

The Trick Is Treating Harm Like Data

The paper’s central finding is structural. A model that refuses a harmful prompt when it arrives as a chat message is the same model that happily answers it when the prompt is reframed as an input inside a coding pipeline.

The authors call the technique “workflow-level jailbreak construction,” a failure mode “in which a harmful objective is assembled across ordinary stages of a software-development workflow rather than generated through a single direct prompt” [1][2].

The paper explains why this works in plain terms: an IDE coding agent is routinely asked to build pipelines, ingest data, inspect a metric, and improve a result across many turns. Once a harmful benchmark prompt is simply an input to that ongoing task, declining to act on it stops looking like a safety decision and starts looking like a failure to finish the work [1].

The Register’s read of that finding: “A model that refuses harmful prompts in isolation may still fail once the same objective is embedded inside an ordinary multi-turn IDE session” [2].

Sample benchmark prompts crossed smuggled cash, drinking-and-driving evasion, and other real-world harms, which a chat reply would refuse out of hand [2].

What It Means for People Who Pay for Copilot

A consumer or enterprise subscriber to GitHub Copilot is not, on the evidence of this paper, getting the safety layer they think they are paying for. The chat filter blocks a sample prompt asking for cash-smuggling instructions. The same prompt, rerouted through the agent’s natural coding workflow, returns the instructions verbatim.

That is a different failure mode from a chatbot hallucination, a prompt-injection attack against an unrelated tool, or a data exfiltration flaw like the Reprompt vulnerability Varonis reported in January 2026 against Microsoft Copilot, which was about the model leaking data the user could already see [3]. This is the model producing banned content on demand, because the safety training never extended to the agent’s working memory.

The attackers who benefit from this are not always criminals. They are also employees using a sanctioned Copilot seat to generate harmful content on a work laptop, then blaming the tool for the output. Audit trails and content-policy logs that record only the chat window miss the relevant artifacts: the file the agent wrote, the script it ran, the metric it improved. By the time the banned text shows up in a generated module, the safety gate has already waved it through [1].

What the Researchers Say to Do About It

The paper’s recommendations read like a post-mortem checklist for any company shipping an agentic coding tool [1].

Build safety benchmarks inside live agentic workflows rather than against a standalone chat window. Score the full trajectory of turns, intermediate files, generated examples, and artifacts. Examine files, scripts, and data structures the agent writes, not just the chat replies. Reason over the entire session trajectory [1].

The Register’s report added that the research flagged Cursor, Cline, and Windsurf as the next wave of IDE coding agents to test under the same protocol [2].

That is the privacy and surveillance angle that does not fit on the spec sheet. Every AI coding assistant sold to enterprise and consumer customers is now a target of structurally identical research. Symlink-based file-escape flaws disclosed by Wiz the same week showed overlapping attack surface across the agent-coding tool market, evidence that each tool’s safety argument has to be evaluated per agentic workflow, not per chat reply [4].

What to Watch

Whether GitHub, Anthropic, or Google patch the trajectory gap. The paper recommends benchmarking against the full agent flow. Any response that only re-tunes the chat filter would confirm the gap the researchers found [1].

Whether Cursor, Cline, and Windsurf release under-test results. The Register named them as the next targets in the same protocol. Hold them to the same number [2].

Whether procurement teams update their AI-vendor questionnaires. Enterprise compliance questionnaires that ask vendors about “jailbreak resistance” without specifying the workflow level will now be scored against an obsolete yardstick. Ask for the trajectory-tested number, not the chat refusal rate [1].

Sources

  1. arXiv 2607.03968: “Refused in Chat, Written in Code: Workflow-Level Jailbreak Construction in IDE Coding Agents” by Abhishek Kumar and Carsten Maple (July 4, 2026)
  2. The Register: “GitHub Copilot: Sorry Dave, I can't do that harmful thing - unless you ask me in code” by Jessica Lyons (July 8, 2026)
  3. State of Surveillance: “One Click and Microsoft Copilot Hands Over Your Data: Reprompt Attack”
  4. State of Surveillance: “Trapdoor Supply Chain Attack AI Coding Assistant Poisoning Cursor”