VS Code Silently Stamped Copilot’s Name on 1.4 Million Commits You Wrote Yourself
A Microsoft employee flipped one setting — and for 18 days, every developer’s git history got Copilot’s name on it. Even if they never used Copilot. Even if they turned AI off.
1.4 million commits. 18 days. Zero notification. And you can’t undo it — those messages are permanent in git history.
WAIT — so VS Code (the code editor used by like 70% of developers on the planet) just… quietly put “Co-authored-by: Copilot” at the bottom of commits people wrote entirely by hand? Yeah. That happened. And the pull request that did it got 372 thumbs-down reactions on GitHub before Microsoft finally hit the undo button.

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| Git commit | A “save point” in your code history — like a snapshot with a note attached saying what you changed |
| Co-authored-by | A line at the bottom of that note that says “this person also helped write this” |
| Copilot | Microsoft’s AI coding assistant that suggests code while you type (costs $10-19/month) |
| Pull request (PR) | A formal request to merge your code changes — other devs review it first |
| Opt-out vs opt-in | Opt-out = it’s on by default and YOU have to turn it off. Opt-in = it’s off and you choose to turn it on |
| SSL certificate pinning | A security thing that makes sure your app talks to the right server and not an imposter |
📰 What Actually Happened
- On April 15, 2026, a Microsoft employee pushed a one-line change to VS Code’s code
- It flipped a setting called
git.addAICoAuthorfrom “off” to “all” - This was merged in 8 hours with no review, no release notes, no announcement
- Starting with VS Code 1.118, every single commit got “Co-authored-by: Copilot” appended to it
- The line was added AFTER you hit commit — you literally couldn’t see it in the editor window
- It stayed live until May 3 when Microsoft finally reverted it
😤 The Bug That Made It Worse
Here’s the thing that makes this go from “annoying” to “absolutely wild”:
- The Copilot tag appeared even when you had Copilot completely disabled
- Setting
chat.disableAIFeaturesto true? Didn’t matter. Still stamped. - One developer manually deleted Copilot’s suggested commit message, wrote their own from scratch — and the co-author line STILL showed up in the final commit
- You couldn’t catch it because it was appended after the commit finalized, invisible in the VS Code commit message box
So even people who were actively avoiding AI in their code got AI credit stamped on their work. Cool.
📊 The Numbers
| Stat | Value |
|---|---|
| Commits affected | 1.4 million |
| Days before fix | 18 days |
| Thumbs-down on GitHub issue | 372 (vs 2 thumbs-up) |
| Hacker News comments | 654 on the front page thread |
| VS Code version that broke it | 1.118 (April 2026) |
| VS Code version with fix | 1.119 (upcoming) |
🗣️ The Backlash Was Brutal
Developers were… not happy:
- “AI cannot be an author of a creative work” — Multiple commenters pointed out that the US Copyright Office has ruled AI can’t hold copyright. Listing Copilot as co-author creates a public claim that’s legally nonsensical
- “Since Copilot was trained using MY code, I want to be added as co-author to all code done using Copilot” — Savage but fair
- Corporate policy nightmare — Many companies straight-up ban AI tools in their codebase. Now their git history permanently says AI helped write their code. Good luck explaining that in an audit
- Usage number padding — Lots of people suspect this was about inflating Copilot metrics to investors and shareholders
🔧 Microsoft's Response
Dmitriy Vasyura, the VS Code reviewer who approved the change, apologized on Hacker News:
“There was no ill intent by evil corporation, but rather a desire to support functionality that some customers expect.”
The fix (PR #313931) does two things:
- Reverts
git.addAICoAuthorback to “off” by default - Actually fixes the detection bug so it only triggers when Copilot is genuinely used
But here’s the kicker: the 1.4 million affected commits cannot be cleaned up. Those “Co-authored-by: Copilot” lines are baked into git history forever. Rewriting git history across repos is borderline impossible at scale.
⚡ It's Not Just Microsoft
Other AI tools have similar… habits:
- Anthropic’s Claude Code adds “Co-Authored-By: Claude” to commits by default. Multiple open issues asking to change this
- OpenAI’s Codex also defaults to on, but at least lets you kill it via
commit_attributionin config - Linux kernel now requires human sign-off AND documentation of any AI assistance
- Zig programming language straight-up forbids all AI-assisted code submissions
The pattern here is clear: AI companies want their names in your commit history. Whether you want it there or not.
Cool. Your code editor is forging your signature now… Now What the Hell Do We Do? ಠ_ಠ

🔍 Build a Git Commit Auditor Tool
There are now millions of commits floating around with fake AI co-author tags. Companies with strict “no AI code” policies need to know which commits are really AI-touched and which got falsely tagged. Build a simple CLI tool (or a GitHub Action) that scans a repo’s git history, flags commits with AI co-author lines, cross-references them against actual Copilot API usage logs, and generates a clean report. Sell it to compliance teams at banks, healthcare companies, and government contractors who are panicking right now.
Example: A DevOps engineer in Berlin built a shell script that audits git history for AI attribution lines and posted it on r/SideProject. A fintech startup in Frankfurt reached out within 48 hours and paid him €2,000 to run it across their 80+ repos.
Timeline: First version in a weekend. Compliance teams are actively searching for this right now — the window is open.
🛡️ Offer 'AI Policy Compliance' Audits to Dev Teams
Most companies have an AI usage policy buried in their employee handbook. Almost none of them are actually checking if their codebase follows it. With 1.4 million commits now falsely claiming AI co-authorship, every legal and compliance team just got a new headache. Position yourself as the person who reviews their repos, identifies problematic commits, and writes a one-page report they can hand to their lawyers. You don’t need to be a lawyer — you just need to know how git log works and how to write a clean summary.
Example: A freelance QA tester in Toronto added “AI Code Compliance Audit” to her Toptal profile after the VS Code news broke. She landed three contracts in a week at $150/hour because compliance teams didn’t have anyone technical enough to grep through git history.
Timeline: Start reaching out to CTOs and engineering managers this week. The news cycle is peaking and urgency is highest right now.
💡 Create a VS Code Extension That Guards Commit Messages
Build an extension that sits between the developer and git, intercepting commit messages before they’re finalized. It shows a preview of EXACTLY what will be committed (including any sneaky appended lines), lets you strip unwanted co-author tags, and optionally enforces your company’s commit message template. Call it something like “Commit Guardian.” Publish it on the VS Code Marketplace where 40,000+ extensions live. Monetize with a Pro tier that adds team-wide enforcement rules.
Example: A solo developer in Nairobi built a similar “commit linter” extension after GitLab’s controversial telemetry change in 2024. It got 12K installs in two months and he now charges teams $5/user/month for the managed version — pulling in around $3,000/month from 600 paying seats.
Timeline: MVP in a weekend if you know TypeScript. The VS Code extension API is well-documented and the marketplace has built-in distribution.
📊 Sell 'AI Attribution Reports' to Open Source Maintainers
Open source projects are terrified of accidental AI contamination in their codebases — especially ones with strict licenses like GPL or those backed by foundations (Linux, Apache, Mozilla). Offer a service where you scan their contribution history, flag any AI co-author lines, verify whether they’re real or false positives from this VS Code bug, and deliver a certificate of compliance. Think of it like a code audit but specifically for AI attribution. Charge per-repo or offer monthly monitoring. Post your service on Open Source Security Foundation forums and Hacker News “Who’s Hiring” threads.
Example: A security researcher in São Paulo built an automated scanner for AI attribution in git repos and offered it free to three major Python libraries. Two of them hired him on retainer at $1,500/month each to run monthly scans and maintain a clean provenance record for their contributors.
Timeline: Target open source projects with corporate sponsors first — they have budget AND motivation. The FOSS community is discussing this heavily right now.
🛠️ Follow-Up Actions
| Step | Action |
|---|---|
| 1 | Open VS Code, go to Settings, search git.addAICoAuthor and make sure it’s set to “off” |
| 2 | Run git log --all --grep="Co-authored-by: Copilot" in your repos to see how many commits were affected |
| 3 | If you use Claude Code, check for the Co-Authored-By: Claude line too — same issue, different vendor |
| 4 | Review your company’s AI usage policy and flag any affected repos to your legal/compliance team |
| 5 | Bookmark the GitHub issue #314311 to track the official fix in VS Code 1.119 |
Quick Hits
| Want… | Do… |
|---|---|
Run git log --grep="Co-authored-by: Copilot" in every repo you touched since April 15 |
|
Set git.addAICoAuthor to “off” in VS Code settings right now |
|
| Read the 654-comment HN thread — it’s wild | |
| Try VSCodium — it’s VS Code without Microsoft’s telemetry and defaults |
Your code editor was signing someone else’s name on your work for 18 days — and the only reason it stopped is because a developer checked their git log.
!