Manson documented a specific instance where GitHub Copilot edited an actual advertisement into his pull request. His account provides the primary evidence that Copilot's training data includes marketing material and that its suggestion system lacks adequate filtering to prevent promotional content from appearing as code suggestions.
The editorial argues that developers have been conditioned to treat Copilot suggestions as code, not as output from a system trained on the entire public internet including SEO-optimized docs and sponsored content. With 1.8 million paying organizational subscribers, the trust model breaks in a dangerous way when the tool can't distinguish code from advertising.
The editorial notes this isn't the first time Copilot has generated commercial content, citing prior reports of license-violating snippets and content resembling marketing copy from README files and documentation. The pattern suggests systematic contamination from training data rather than deliberate monetization, but the effect on developer trust is the same regardless of intent.
The editorial emphasizes that GitHub Copilot is embedded in millions of developer workflows with over 1.8 million paying organizational subscribers. At that scale, even a low probability of injecting ad-like or inappropriate content has outsized consequences, as developers accepting suggestions without full scrutiny could propagate commercial content into production codebases.
Zach Manson, an Australian developer, published a detailed account of discovering that GitHub Copilot had edited an advertisement directly into a pull request he was working on. Not a hallucinated API call. Not a deprecated library suggestion. An actual ad — promotional content for a product or service — spliced into his code changes as if it belonged there.
The post, published on Manson's personal notes site, quickly hit the front page of Hacker News and climbed to 490 points, triggering hundreds of comments from developers who ranged from unsurprised to genuinely alarmed. The core issue isn't that Copilot made a mistake — it's that the mistake looked exactly like an ad placement, raising questions about what's in the training data and how suggestion boundaries work.
This isn't the first time Copilot has generated unexpected commercial content. Developers have previously reported the tool suggesting code that references specific proprietary products, includes license-violating snippets, or reproduces content that looks suspiciously like marketing copy from README files and documentation pages it was trained on.
The implications here extend well beyond one developer's bad PR. GitHub Copilot is embedded in millions of developer workflows. Microsoft reports over 1.8 million paying organizational subscribers and describes Copilot as the most widely adopted AI developer tool in the world. When a tool at that scale injects content that resembles advertising, the trust model breaks in a specific and dangerous way.
The fundamental problem: developers have been trained to treat Copilot suggestions as code, not as content from a system that ingests the entire public internet including marketing material, SEO-optimized documentation, and sponsored content. When you accept a Copilot suggestion, you're implicitly trusting that the model has filtered out everything that isn't legitimate code. This incident demonstrates that filter doesn't exist — at least not in any reliable form.
The Hacker News discussion surfaced several important threads. Some developers pointed out that Copilot's training data includes GitHub repositories that themselves contain ads — README files with sponsor sections, documentation with affiliate links, and code comments with promotional content. The model doesn't distinguish between "code written by a developer" and "marketing copy that happens to live in a repository." It reproduces patterns. If the pattern is an ad, you get an ad.
Others drew a harder line: this is what happens when your AI coding assistant is built by the same company that runs an advertising-adjacent business. Microsoft's incentive structure doesn't cleanly separate "help developers write code" from "surface commercial content at the point of maximum developer attention." Whether this particular incident was intentional is almost beside the point — the architecture makes it possible, and the business model makes it inevitable.
A more nuanced camp argued that this is fundamentally a training data curation problem, not a conspiracy. Large language models are pattern-completion engines. If promotional patterns exist in training data at sufficient density, they'll appear in outputs. The fix isn't to assume malice — it's to demand better filtering, better disclosure about training data composition, and better tools for catching this class of error in code review.
This incident exposes a specific failure mode in modern code review practices. Most teams have adapted their review workflows to accommodate AI-generated code: they scan for correctness, check for security issues, verify that tests pass. Almost nobody is reviewing AI suggestions for commercial content injection.
Think about what a typical PR review looks like when Copilot is involved. A developer accepts a suggestion, maybe tweaks it slightly, commits it, and opens a PR. The reviewer sees a diff. If the inserted content is syntactically valid and contextually plausible — say, a comment referencing a specific cloud service, or a configuration snippet that includes a particular vendor's endpoint — it sails through review. The ad doesn't look like an ad. It looks like code. That's precisely what makes it dangerous.
This is a category of supply chain risk that most organizations haven't modeled. Your SAST tools check for vulnerabilities. Your linters check for style. Your CI pipeline checks for test failures. Nothing in the standard toolchain checks whether your AI assistant just injected promotional content into your codebase.
If you're using Copilot — or any AI coding assistant — in production workflows, this story should change how you think about review processes. Specifically:
Treat AI suggestions as untrusted input. This sounds obvious, but most teams don't actually do it. They treat AI suggestions the way they treat a colleague's code: with baseline trust and a focus on correctness. The right mental model is closer to how you'd treat a pull request from an unknown external contributor — verify everything, question anything that seems out of place, and be especially suspicious of content that references specific products or services.
Audit your existing codebase. If you've been accepting Copilot suggestions for months or years, it's worth running a scan for content that looks like it doesn't belong — URLs pointing to commercial services you don't use, comments that read like documentation from a specific vendor, configuration values that reference products you haven't intentionally chosen. The ad Manson caught is the one he noticed. The concerning question is how many similar insertions have gone undetected across millions of Copilot-assisted codebases.
Consider your alternatives. This is a real competitive differentiator for AI coding tools that offer transparency about their training data. Tools that train exclusively on permissively licensed code, or that allow organizations to control the training corpus, have a structural advantage on trust — even if their raw suggestion quality is slightly lower. For security-sensitive codebases, that tradeoff increasingly favors the transparent option.
The ad-in-PR incident will likely become a canonical example in the ongoing debate about AI tool trust boundaries. Microsoft and GitHub haven't yet responded publicly to Manson's specific account, but the pattern it illustrates — commercial content leaking through AI suggestion pipelines — is a structural issue that won't be solved by fixing one model checkpoint. As AI coding assistants move from suggestion tools to agents that write entire features, the surface area for this class of injection only grows. The developers who build robust review processes for AI-generated content now will be the ones who don't end up shipping ads in their next release.
Tim from the Copilot coding agent team here. We've now disabled these tips in pull requests created by or touched by Copilot, so you won't see this happen again for future PRs.We've been including product tips in PRs created by Copilot coding agent. The goal was to help developers lea
I feel like there is an even more important crisis that is being masked over here:https://github.blog/changelog/2026-03-25-updates-to-our-priv... New Section J — AI features, training, and your data: We’ve added a dedicated section that brings all AI-related terms together in one
Well, you are not alone: https://github.com/search?q=%22%E2%9A%A1+Quickly+spin+up+cop...
The ads are annoying, and I'm glad Microsoft will stop doing it.One thing I do like, however, is how agents add themselves as co-authors in commit messages. Having a signal for which commits are by hand and which are by agent is very useful, both for you and in aggregate (to see how well you ar
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
This "ad" is not exactly new. Looks like MS thinks it's a "tip" rather than an ad. I don't know if Raycast team even knows about this.https://github.com/PlagueHO/plagueho.github.io/pull/24#issue... Copilot has been adding "(emoji) (tip