VS Code Is Actually Stealing Credit for Your Work. It's Worse Than You Think.
I found 412 commits in my private infrastructure repo an hour ago that I didn't write alone. At least, that’s what the metadata says.
According to my git log, I’ve been pair-programming with a ghost for the last three months, and it’s a ghost I never invited to the terminal.
If you use VS Code and GitHub Copilot, **your git history is likely being poisoned right now.** Microsoft has quietly started injecting "Co-authored-by: GitHub Copilot" into commit trailers, often regardless of whether the AI actually wrote a single line of that specific change.
It sounds like a minor metadata glitch, but for anyone who cares about code provenance, security, or legal liability, it’s a massive breach of trust.
The Midnight Git Log Audit
It was 11:30 PM on a Sunday, May 3, 2026, and I was doing a routine audit of a Terraform provider I’ve been maintaining.
I ran a standard `git log` to check some attribution for a contributor when I saw it. A block of text at the bottom of my own commit message: **Co-authored-by: GitHub Copilot
I hadn't used Copilot for that commit. In fact, I was testing a logic gate that Copilot kept hallucinating on, so I had explicitly toggled the extension off an hour prior.
Yet, there it was, etched into the immutable history of my repository. **Microsoft was claiming partial credit for my manual labor.**
I spent the next two hours digging through other repositories, from my personal Go experiments to production-grade Kubernetes manifests. The pattern was consistent and chilling.
If the VS Code window had Copilot "active" in the workspace, the commit command — even when run via the UI — was appending the co-author tag.
Why Microsoft Is "AI-Washing" Your Repo
Why would a multi-billion dollar entity care about a tiny string at the bottom of your commit? The answer lies in the **aggressive pursuit of "AI-Impact" metrics** for shareholders.
By forcing a co-author tag into millions of daily commits, Microsoft can claim that "90% of all software development is now AI-augmented."
It’s a classic case of telemetry-driven product management gone rogue.
They aren't just measuring how much code the AI writes; they are **manufacturing the evidence of its necessity.** If every successful PR in your organization has an AI's name on it, it becomes impossible to argue that the AI isn't providing value, even if it was just sitting in the background while you did the heavy lifting.
This isn't just about padding stats, though.
There is a deeper, more cynical play regarding **Intellectual Property (IP) and training loops.** By marking code as "co-authored" by their agent, they are blurring the lines of ownership in a way that favor the house.
If their agent is a "co-author," the legal argument for using that code to train the next iteration of Copilot or ChatGPT 5 becomes significantly easier for their legal teams to defend.
The Hidden Cost of False Attribution
For a junior developer, this might seem like a "cool" badge of honor.
For those of us in infrastructure and security, **it’s a nightmare for auditing.** When a production system fails due to a logic error, the first thing we do is look at the git blame.
We need to know who wrote the code, why they wrote it, and what their state of mind was.
If every commit is "Co-authored by Copilot," the signal-to-noise ratio drops to zero. Was this a human error, or did the AI suggest a deprecated API call that bypassed our security linter?
**We can no longer distinguish between human intent and machine suggestion.** This ambiguity is exactly where catastrophic bugs hide.
Furthermore, many enterprises have strict policies against AI-generated code in core security modules.
By injecting these tags automatically, VS Code is making developers **unknowingly violate their own company policies.** I’ve already seen one Hacker News thread where a developer was put on a Performance Improvement Plan (PIP) because their "AI-authored" commits spiked during a period where AI tools were technically banned for a specific government contract.
Is Your Code Still Yours?
We are entering an era where "Proof of Human" is becoming a luxury.
When I ship a piece of code, I want my name on it because **I am the one responsible for its failure.** Accountability is the bedrock of engineering.
If I share that accountability with a black-box model that I didn't even use for the task, the entire concept of "Senior Engineer" begins to erode.
I tested this behavior against other editors. **Cursor, which uses Claude 4.6, doesn't do this.** It asks. It respects the commit message.
Even the latest Gemini 2.5 integration in various IDEs treats the commit message as a sacred space for the developer.
Microsoft’s decision to override the user's intent in the commit flow is a uniquely arrogant move that assumes the IDE knows more about the work than the person doing it.
If you’re working on an open-source project, this is even more dangerous. Maintainers often use attribution to decide who gets maintainer bits or who gets invited to steering committees.
If a "bot" is taking 50% of the credit for your contributions, **you are being statistically erased from the community you are building.**
How to Reclaim Your Commit History
If you’re like me and you want your git log to reflect reality, you need to act now.
This isn't just a setting you can toggle off with one click; it’s baked into the way the GitHub Repositories and Copilot extensions interact with the VS Code source control provider.
First, you need to check your history. Run this in your terminal right now: `git log | grep "Co-authored-by: GitHub Copilot"`
If you see results you didn't expect, you have two choices.
You can either live with the lie, or you can **rebase and scrub.** For small personal projects, a simple `git filter-branch` (or the newer `git-filter-repo`) can strip these trailers out, but be warned: this will change your commit hashes and break any existing PRs.
To stop it from happening in the future, you need to dive into your VS Code `settings.json`.
Look for `github.copilot.editor.enableAutoCommitAttribute` or similar hidden flags that Microsoft occasionally experiments with in the Insiders build.
Better yet, **stop using the VS Code UI for commits.** Stick to the CLI. The terminal doesn't lie, and it doesn't "help" you write your metadata unless you tell it to.
The Future of the Human-AI Hybrid
We are at a crossroads in the 2026 development landscape. AI is an incredible tool — I use it daily for boilerplate, unit tests, and regex.
But a tool should never be a co-author unless it has **skin in the game.** Copilot won't be there at 3 AM when the load balancer starts dropping 500s.
It won't be there to explain the logic to a security auditor.
We need to demand that our tools respect the boundary between **assistance and attribution.** If we let the "AI-washing" of our repositories continue, we aren't just losing credit; we’re losing the map of how our software was actually built.
And in this industry, the map is often more important than the territory.
Have you checked your git log today? You might be surprised to find out who you’ve been "working" with lately. Let’s talk about it in the comments — has this happened in your company’s repos yet?
---
Story Sources
From the Author
Hey friends, thanks heaps for reading this one! 🙏
Appreciate you taking the time. If it resonated, sparked an idea, or just made you nod along — let's keep the conversation going in the comments! ❤️