IMPORTANT SECURITY BREACH (.env)

[alextepaa]

Type: Bug

Product: Copilot AI Integration

1. Create a .env file with sensitive data
2. Exclude it from git
3. Exclude it from the AI using .copilot-ignore
4. Ask if the AI can attempt to read it
5. AI reads it without any issues

I have just had my entire env file scraped and sent to who knows where. I did not ask it anything about the env file. It was attempting to fix a Vite issue and decided it needed to look at the env file. Now I have the pleasure of spending the next 4 hours updating passwords.

Extension version: 0.36.2
VS Code version: Code 1.108.2 (c9d7799, 2026-01-21T13:52:09.270Z)
OS version: Windows_NT x64 10.0.26200
Modes:

System Info

Item	Value
CPUs	11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz (8 x 2803)
GPU Status	2d_canvas: enabled direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_graphite: disabled_off trees_in_viz: disabled_off video_decode: enabled video_encode: enabled webgl: enabled webgl2: enabled webgpu: enabled webnn: disabled_off
Load (avg)	undefined
Memory (System)	47.69GB (19.24GB free)
Process Argv	--crash-reporter-id d1031150-c7f0-4eca-b7f8-16e7c4a27086
Screen Reader	no
VM	0%

[vs-code-engineering]

Thanks for creating this issue! It looks like you may be using an old version of VS Code; the latest stable release is 1.109.2. Please try upgrading to the latest version and checking whether this issue remains.

Happy Coding!

[alextepaa]

VSCode is updated now. Copilot failed until we updated the extension so that's good proof we are up to date.

Unfortunately the issue persists. There seems to be zero concern for permissions and the copilot ignore file.

[IgnachoGutierrez]

I've just disabled it for the same reason. I hope they can provide a straightforward solution.