Here’s what happened step by step:

• April 15, 2026: Microsoft engineer cwebster-99 opened a pull request on GitHub that changed the git.addAICoAuthor setting from "off" to "all" in VS Code’s Git extension
• April 16: Another engineer, dmitrivMS, reviewed and merged it into the main branch. Two people. One line of code. Done.
• The change shipped in VS Code 1.118 to roughly 30 million users
• Nobody noticed for almost three weeks

The stated goal? “Add the trailer for all AI-generated code, including inline completions.” Sounds reasonable. Except the code was bugged — it stamped EVERY commit, even from devs who had Copilot completely turned off.

Here’s the sneaky part. One developer reported:

“The most concerning part is that I had already checked the commit message before committing… However, after the commit was created, the final Git history still contained the Copilot co-author line.”

The “Co-authored-by: Copilot” text was appended after the commit finalized. It didn’t show up in VS Code’s commit message box. So you’d type your message, hit commit, and the tag would appear in git history like a ghost.

You couldn’t see it. You couldn’t stop it. And once it’s in git history, it’s permanent — changing it means rewriting every commit hash downstream, which breaks everything for everyone working on the same project.

The GitHub issue and Hacker News thread were on fire:

• dmitrivMS (the PR reviewer) apologized publicly, saying the implementation “should respect disabled AI features and accurate authorship”
• Developers pointed out this is a legal time bomb — if AI-authored code carries different copyright rules (which courts are still deciding), having Copilot stamped on your commit could void your copyright claim
• Some companies have policies against AI code in their repos. Devs who committed during these 18 days now have “proof” they used AI — even if they didn’t
• The Zig programming language flat-out forbids AI-assisted contributions. Any Zig contributor who used VS Code during this period now has suspect commits
• Linux kernel requires human sign-off on every commit — contaminated history creates a chain-of-custody nightmare

Let’s be real. Microsoft owns GitHub. Microsoft owns Copilot. Microsoft owns VS Code. The play here is obvious:

• More commits tagged “Copilot” → more “evidence” that developers rely on AI → more justification to raise Copilot prices → more leverage to sell Copilot Enterprise licenses
• It’s the same move as pre-checking “yes, send me marketing emails” during signup. Nobody reads. Everybody’s opted in.

The fact that they defaulted to "all" instead of "on" (which would only tag commits where Copilot was actually used) tells you everything. They wanted volume, not accuracy.

Now — was this intentional? Probably not this specific bug. But the default-to-all philosophy? Absolutely intentional. Heise called it out with a “WTF” in the headline.

Here’s what you do: thousands of open-source projects now have contaminated git history with false Copilot attribution. Maintainers need tools to identify and (where critical) rewrite these commits. Build a CLI tool that scans a repo, identifies commits between April 15–May 3 that contain the bogus trailer, and generates a clean git filter-branch script. Open-source it, but offer a hosted version for companies that need audit reports (legal teams LOVE PDFs with stamps on them).

Example: A 26-year-old DevOps contractor in Lisbon builds git-unclaim in a weekend using Python + GitPython. Posts it on r/programming. Gets 800 GitHub stars in 48 hours. Three enterprise clients reach out within a week — they need clean audit trails for SOC 2 compliance. She charges €500/repo for the audit report.

Timeline: First stars in 2 days. First paying client in 7 days. Window closes in ~6 weeks once major CI/CD platforms build this in natively.

Companies like Zig, Linux Foundation, and any firm with “no AI code” policies now have a new problem: how do you prove code WASN’T AI-generated when the commit history says it was? Build a VS Code extension that monitors git.addAICoAuthor settings, alerts if they change, and generates a signed attestation log. Think of it as a dash cam — but for your coding environment. Target it at defense contractors and financial firms where AI-code-in-production can violate regulations.

Example: A 31-year-old security consultant in Warsaw packages this as a VS Code extension called “CodeProvenance.” Banks in the EU need MiFID II compliance on algorithmic trading software → any AI tag on commits triggers a manual review. He sells annual licenses at €200/seat to three mid-size banks. 150 seats total = €30K/year.

Timeline: MVP extension in 5 days. First enterprise inquiry in 2 weeks. Gets cloned by a bigger player in 3 months — but by then you’ve locked in annual contracts.

Between you and me, this controversy just made VS Code alternatives relevant again. Every developer who’s pissed about this is Googling “Cursor”, “Zed”, and “Neovim setup 2026” right now. Here’s the play: write comparison guides — not generic “top 10 editors” garbage, but specific migration guides. “How to move from VS Code to Zed without losing your keybindings and extensions.” Target the exact keywords developers search when they’re angry. Monetize with affiliate links to premium editor plugins and courses.

Example: A 22-year-old tech writer in Nairobi writes “The VS Code Exodus Guide” on dev.to and mirrors it on his own blog. Includes affiliate links to Cursor Pro ($20/mo, 20% affiliate cut) and a Neovim course on Udemy. Post gets 45K views from Hacker News traffic alone. Affiliate income: $380 in the first month, plateauing at ~$120/month as the outrage fades.

Timeline: Publish within 48 hours of the news cycle. Peak traffic in 3-5 days. Revenue tails off after 6 weeks but SEO keeps it alive at lower volumes.

Here’s the diabolical angle. Some jurisdictions are moving toward the position that AI-generated code isn’t copyrightable. Now you have 1.4 million commits that falsely claim AI co-authorship. For open-source projects with restrictive licenses (GPL, AGPL), this creates a legal grey zone: can a competitor argue the code is public domain because “the commit history shows AI wrote it”? Build a legal brief template + explainer site targeting open-source project maintainers who need to protect their IP. Charge for the template. Give the explainer away free for SEO.

Example: A 28-year-old paralegal in Toronto who moonlights in open-source sees the angle. Partners with a copyright attorney to create a “Git Copyright Defense Kit” — a $49 template pack (cease & desist letter, commit attestation form, license clarification statement). Sells 200 copies in the first month through a Gumroad listing promoted on r/opensource. Revenue: $9,800.

Timeline: Template ready in 4 days. First sales within a week. This one has legs — the copyright question won’t be settled for years, so the templates stay relevant.

Microsoft just proved that any VS Code update can silently change your settings. Not just Copilot — telemetry, extension permissions, anything. Build a lightweight daemon (background tool) that monitors your VS Code settings.json for unauthorized changes after updates, diffs them against your locked baseline, and rolls back anything you didn’t approve. Think “uBlock Origin, but for your editor config.” Free tier gets monitoring. Paid tier ($3/mo) gets auto-rollback and Slack/Discord alerts for teams.

Example: Two developers in Kraków build vscode-lockdown as an open-source CLI with a paid cloud dashboard for teams. Post it on ProductHunt during the controversy. 1,200 free signups in the first week. 8% convert to paid at $3/mo = $288 MRR growing to ~$600/mo as word spreads through DevOps Slack groups.

Timeline: CLI prototype in 3 days (it’s just file watching + diffing). ProductHunt launch within 10 days of the news. Paid conversions start in week 3.