A vulnerability in GitHub.dev allows attackers to steal OAuth tokens with a single click.

      Any developer who has ever hit the period key on a GitHub repository, launching the handy browser-based VS Code editor known as GitHub.dev, has unwittingly entered into a deal. In return for a minimal coding setup, GitHub discreetly transmits an OAuth token to the session, granting read and write privileges to all repositories accessible to the user, not just the one they opened.

      Security researcher Ammar Askar has recently demonstrated how a single malicious link can completely take over that token. The proof-of-concept exploit, released on June 2, 2026, exploits multiple VS Code behaviors to install a rogue extension within GitHub.dev, secretly extract the OAuth credential, and enumerate every private repository the victim can access.

      Microsoft has acknowledged this vulnerability and stated they are working on a solution. According to Alexandru Dima, a partner software engineering manager at Microsoft, this flaw does not affect the VS Code Desktop application.

      How the attack functions

      The exploit initiates with a specially crafted GitHub.dev link that directs to a repository containing a harmful Jupyter Notebook file. Upon clicking, GitHub.com automatically posts an OAuth token to the GitHub.dev session. This token is not limited to a specific repository and holds full access rights across all repositories the user can view, including private ones.

      Inside the notebook, a concealed HTML snippet with an onerror handler executes JavaScript controlled by the attacker within a sandboxed webview iframe. VS Code utilizes these webviews to render Markdown previews, edit notebooks, and display other enhanced content. The critical issue is that a webview can simulate keyboard events, particularly keydown events, in the primary editor window using the postMessage API.

      The malicious payload waits a few moments for VS Code to display a notification prompting for extension installation, then triggers a simulated Ctrl+Shift+A keystroke. This shortcut corresponds to the “Accept Notification Primary Action” command, which silently grants permission for the installation of an attacker-controlled extension. The extension subsequently acquires the GitHub OAuth token and calls the GitHub API to enumerate every private repository the victim can access.

      Bypassing the trust verification

      Typically, installing a VS Code extension prompts a publisher trust notification. However, the exploit bypasses this entirely by utilizing a feature known as local workspace extensions. Any extension placed in a repository’s .vscode/extensions folder can be installed without a trust dialogue, as VS Code considers it part of the workspace rather than a third-party download.

      The attacker can also implement custom keybindings through the extension’s package.json, linking various VS Code commands to keyboard shortcuts. Since the exploit can reliably activate those shortcuts from the webview, virtually any sequence of editor actions can be executed. “We can simply add a keybind for any VS Code command we desire, like installing an extension while bypassing the trusted publisher check,” Askar noted.

      Why the researcher disclosed immediately

      Askar did not adhere to the typical coordinated-disclosure process. He informed The Register that a previous encounter with Microsoft’s Security Response Centre left him disillusioned with the procedure. According to Askar, MSRC quietly patched a VS Code bug he had reported without crediting him and deemed it to have no security implications.

      He provided a GitHub security contact with roughly an hour’s notice before making the complete exploit details and proof-of-concept code public. This decision reflects a broader trend of researcher dissatisfaction with Microsoft’s handling of vulnerabilities, which has intensified recently when the company threatened another researcher, known as Nightmare Eclipse, with criminal charges for publicly disclosing Windows zero-days.

      The disclosure follows closely after a separate incident wherein hackers accessed GitHub itself via a compromised VS Code extension, stealing around 3,800 internal repositories. This attack, attributed to a group referred to as TeamPCP, highlighted that malicious extensions pose a real and active threat in the developer supply chain.

      The extent of the risk

      This vulnerability is particularly concerning because GitHub.dev does not employ CSRF tokens, allowing any link on the internet to potentially funnel a user into the attack flow. A single click is all it takes. There are no supplementary prompts, no trust dialogues, and no visible alerts.

      Once the token is extracted, the attacker gains the same repository access as the victim, enabling them to read proprietary source code, inject backdoors into private projects, or pivot to other systems by retrieving secrets stored in configuration files. For developers engaged with enterprise or open-source infrastructure, the potential impact could be substantial.

      Recent studies have indicated that vulnerabilities in developer tools, when patched discreetly without public advisories or CVE assignments, leave users on outdated versions vulnerable without their knowledge. Whether Microsoft assigns a CVE to this vulnerability and issues a formal advisory will test the lessons learned from past experiences.

      What developers should do now

      Until Microsoft releases a fix, developers should exercise caution when clicking GitHub.dev links, especially those leading to unfamiliar repositories. Inspecting the .vscode/extensions folder of any repository prior to opening it in