Skip to content
Tech News
← Back to articles

VS Code zero-day lets hackers steal GitHub tokens in one click

2026-06-03 | original
read original get VS Code Security Extension → more articles
Why This Matters

This zero-day vulnerability in Visual Studio Code poses a significant threat to developers and organizations by enabling attackers to steal GitHub tokens with a single click, potentially compromising private repositories and sensitive data. The exploit underscores the importance of timely security updates and user vigilance in safeguarding digital assets in the evolving landscape of software security.

Key Takeaways

A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link.

Microsoft classifies a software flaw as a zero-day if it is publicly disclosed and/or actively exploited with no official patch currently available.

As researcher Ammar Askar explained in a blog post on Tuesday, this VS Code vulnerability allows attackers to install malicious extensions that steal GitHub OAuth tokens when they are passed to github.dev (a browser-based version of Visual Studio Code used to work on GitHub repositories) by exploiting VS Code's sandboxed webview message-passing system.

The proof-of-concept exploit he also released on Tuesday abuses this system by running malicious JavaScript inside a webview to simulate keypresses in the main editor and install an extension that extracts the GitHub OAuth token sent to github.dev and queries the GitHub API to enumerate all private repositories the victim can access.

"This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf," Askar said. "The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to."

While the vulnerability is not yet patched and has not yet been assigned a CVE ID, VS Code users can protect themselves by clearing cookies and local site data for github.dev in their browser by clicking the Settings icon in the URL bar, and then going into Cookies and site data > Manage on-device site data.

This will ensure that they will get a "The extension 'GitHub Repositories' wants to sign in using GitHub." warning when clicking on links attempting to exploit this flaw.

github.dev initial sign-in dialog (Ammar Askar)

​Askar said they notified GitHub one hour before disclosing the bug and noted that they chose immediate public disclosure due to a prior negative experience with Microsoft's security response process, in which a previously reported VS Code bug was silently fixed without credit or acknowledgment of the security impact.

"That was mostly a courtesy to GitHub, the intent here was full public disclosure. In my past experience reporting github.dev bugs to them, they tell you that it's out of scope and go report it to MSRC. And as I outlined in the article, I really don't want to deal with MSRC on VSCode bugs," he added.

... continue reading

Explore topics: vs code github github.dev oauth tokens zero-day
Related:
Google is reportedly buying Play Store app code from devs, and you can guess why
Build 2026: Microsoft's MDASH exits preview with 100+ specialized threat-hunting AI agents
Microsoft's MAI-Code-1-Flash Scores 51% SWE-Bench Pro with Just 5B Active Params
MAI-Code-1-Flash
Microsoft launches Scout, an OpenClaw-inspired personal assistant

© 2026 GoKawiil

About | Editorial Policy | Contact