A vulnerability in GitHub.dev allows attackers to obtain OAuth tokens with a single click.

      Every developer who has ever clicked the period key on a GitHub repository, which opens the browser-based VS Code editor known as GitHub.dev, has inadvertently entered into an agreement. In return for a lightweight coding environment, GitHub discreetly provides an OAuth token for the session, granting read and write access to all repositories available to the user, not just the one they opened.

      Security researcher Ammar Askar has demonstrated how a single malicious link can completely hijack that token. The proof-of-concept attack, revealed on June 2, 2026, combines several VS Code behaviors to install a malicious extension inside GitHub.dev, covertly exfiltrate the OAuth credential, and enumerate all private repositories accessible to the victim. Microsoft has recognized the issue and is actively working on a remedy. According to Alexandru Dima, a partner software engineering manager at the company, this vulnerability does not impact the VS Code Desktop application.

      **How the attack operates**

      The exploit begins with a malicious GitHub.dev link that directs to a repository containing a harmful Jupyter Notebook file. Upon clicking, GitHub.com automatically sends an OAuth token to the GitHub.dev session. This token is not limited to the specific repository; it has full access across all repositories the user can view, including private ones.

      Inside the notebook, there is a concealed HTML snippet with an onerror handler that executes attacker-controlled JavaScript within a sandboxed webview iframe. VS Code utilizes these webviews to display Markdown previews, edit notebooks, and present other rich content. The critical vulnerability lies in the ability of a webview to simulate keyboard events, particularly keydown events, in the main editor window through the postMessage API.

      The malicious payload waits a few seconds for a notification in VS Code prompting extension installation, then triggers a simulated keystroke for Ctrl+Shift+A. This shortcut corresponds to the “Accept Notification Primary Action” command, which automatically approves the installation of an attacker-controlled extension. The extension then captures the GitHub OAuth token and requests the list of every private repository accessible to the victim.

      **Bypassing the trust check**

      Typically, installing a VS Code extension prompts a publisher trust dialogue. However, the exploit circumvents this by utilizing a feature known as local workspace extensions. Any extension placed in a repository’s .vscode/extensions folder can be installed without a trust prompt since VS Code considers it part of the workspace rather than a third-party download.

      The attacker can also implement custom keybindings via the extension’s package.json, assigning arbitrary VS Code commands to keyboard shortcuts. Given that the exploit can reliably trigger these shortcuts from the webview, it can execute nearly any sequence of editor commands. “We can simply add a keybind for any VS Code command, such as installing an extension while bypassing the trusted publisher check,” Askar noted.

      **Why the researcher disclosed the issue immediately**

      Askar did not adhere to the traditional coordinated-disclosure process. He explained to The Register that a prior experience with Microsoft’s Security Response Centre left him disillusioned with the process. Askar claimed that MSRC quietly fixed a VS Code bug he reported without acknowledging him and deemed it to have no security impact.

      He provided a GitHub security contact with about an hour's notice before fully disclosing the exploit details and proof-of-concept code. His decision reflects a wider pattern of dissatisfaction among researchers regarding Microsoft's vulnerability management, which has recently intensified following the company’s threatened criminal prosecution of another security researcher, known as Nightmare Eclipse, for publicly revealing Windows zero-days.

      This disclosure comes just weeks after a separate incident where hackers compromised GitHub via a corrupted VS Code extension, stealing around 3,800 internal repositories. This attack, attributed to a group identified as TeamPCP, highlighted that malicious extensions are a genuine threat in the developer supply chain, not merely a theoretical risk.

      **The extent of the risk**

      This vulnerability is especially concerning because GitHub.dev lacks CSRF tokens, allowing any link on the internet to lead a user into the attack flow. A single click is all it takes: no extra prompts, no trust dialogues, no visible warnings.

      Once the token is exfiltrated, the attacker gains the same repository access as the victim, which enables reading proprietary source code, injecting backdoors into private projects, or pivoting to other systems by extracting secrets from configuration files. For developers working on enterprise or open-source infrastructure, the potential impact could be extensive.

      Recent studies have indicated that when vulnerabilities in developer tools are addressed secretly, without public advisories or CVE assignments, users on older versions remain exposed without their knowledge. Whether Microsoft assigns a CVE to this vulnerability and issues a formal advisory will be a test of the lessons learned from past experiences.

      **What developers should do now**

      Until Microsoft releases a fix, developers should be cautious when clicking on GitHub.dev links, especially those leading to unfamiliar repositories. Reviewing the .vscode/extensions folder of any repository before