Cybersecurity experts have identified a new vulnerability in Microsoft Visual Studio Code (VS Code) that allows attackers to steal GitHub OAuth tokens with a single click. This alarming discovery highlights significant security risks for GitHub users, enabling unauthorized access to both public and private repositories.
Exploiting GitHub.dev’s Functionality
Security researcher Ammar Askar revealed that GitHub users are at risk when using the GitHub.dev feature, a web-based code editor that operates within a browser sandbox. This feature facilitates code commits and pull requests, functioning through OAuth tokens that permit GitHub interaction.
Askar explained that these tokens, crucial for GitHub.dev operations, are not restricted to specific repositories. Consequently, this lack of scope enables them to access all repositories the user can, thus broadening the potential impact of a breach.
The Mechanism Behind the Attack
The vulnerability leverages malicious VS Code extensions to hijack the OAuth tokens. Attackers exploit the message-passing mechanism between the main VS Code window and webviews, which render elements like Markdown previews. By executing harmful JavaScript within an untrusted webview, attackers simulate keypresses to open the Command Palette and install extensions that can extract tokens.
The attack further manipulates VS Code’s local workspace extensions feature. By placing extensions directly into specific folders, attackers bypass any trust dialog, avoiding the publisher trust check, and seamlessly installing unauthorized extensions.
Response and Mitigations
Microsoft was informed of the issue on June 2, 2026, and acknowledged the vulnerability shortly after. Although a fix is underway, the situation underscores the importance of vigilant cybersecurity practices among developers and organizations.
Alexandru Dima, a software engineering manager at Microsoft, clarified that this vulnerability does not impact the desktop version of VS Code, limiting the scope of the threat to the web-based environment. Users are encouraged to remain cautious and monitor updates from Microsoft regarding this issue.
As the cybersecurity community continues to address this vulnerability, it serves as a reminder of the evolving nature of digital threats and the necessity for robust security measures.
