Ethical Hacking News
A recent vulnerability in Microsoft Visual Studio Code has exposed GitHub OAuth tokens to attackers, allowing them to steal sensitive information with just one click. Find out how this vulnerability works and what it means for users.
There is a critical vulnerability in Microsoft's Visual Studio Code (VS Code) software that could allow attackers to steal full GitHub OAuth tokens. The exploit takes advantage of a flaw in the way VS Code handles keybindings and extensions, allowing malicious actors to install rogue extensions that extract sensitive information. Compromised GitHub tokens provide attackers with full access to every repository the user has access to, regardless of whether it's public or private. The vulnerability was discovered through reverse engineering and exploiting VS Code's handling of extensions and keybindings. Microsoft has acknowledged the vulnerability and is working on a fix, but some experts have expressed concerns about the rapid discovery and disclosure of the issue.
The latest news from the world of cybersecurity has revealed a critical vulnerability in Microsoft's popular Visual Studio Code (VS Code) software, which could potentially allow attackers to steal full GitHub OAuth tokens. The exploit takes advantage of a flaw in the way VS Code handles keybindings and extensions, allowing malicious actors to install rogue extensions that extract sensitive information.
According to security researchers, including Ammar Askar, who discovered the vulnerability, an attacker can leverage this feature by exploiting a message-passing mechanism between the main VS Code window and webviews. Webviews are used to render Markdown previews or edit Jupyter notebooks. By triggering keybindings and installing malicious extensions in an untrusted environment, attackers can gain access to sensitive information, including GitHub OAuth tokens.
These tokens, which are used for authentication purposes, provide attackers with full access to every repository that the user has access to, regardless of whether it is public or private. This means that if a user's GitHub token is compromised, all their repositories could potentially be accessed and modified by an attacker.
The vulnerability was discovered through a process of reverse engineering and exploiting the way VS Code handles extensions and keybindings. Ammar Askar, the researcher who discovered the issue, explained in an interview that the approach also leverages a VS Code feature called local workspace extensions, which allows an extension to be directly installed without presenting any additional trust dialog prompt as long as it is placed in the ".vscode/extensions" folder within that workspace.
"This is just a small hiccup though," Askar said. "One of the things that extensions can do as part of their package.json is contribute extra keybindings to VS Code." By adding a keybind for installing an extension while skipping the trusted publisher check, attackers can bypass security measures and install malicious extensions without being prompted.
GitHub was notified of the vulnerability on June 2, 2026, just an hour before details of the issue were made public knowledge. Microsoft has since acknowledged the vulnerability and stated that it is working on a fix. However, some experts have expressed concerns about how quickly the vulnerability was discovered and disclosed, particularly given that GitHub supports a feature called GitHub.dev that runs as a lightweight web-based source code editor in the web browser's sandbox.
"This functionality is achieved by github.com posting over an OAuth token to github.dev that allows it to interact with GitHub on your behalf," Askar explained. "The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to."
In light of this vulnerability, users are advised to exercise caution when using VS Code and GitHub tools, especially if they are managing sensitive repositories or working on projects that require high levels of security. It is also essential for developers to ensure that their extensions and plugins are up-to-date and secure, as outdated software can provide opportunities for attackers to exploit vulnerabilities.
As the cybersecurity landscape continues to evolve, it is becoming increasingly important for users and developers alike to stay vigilant and informed about the latest threats and vulnerabilities. By doing so, we can all work together to create a safer and more secure digital environment for everyone.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Vulnerability-in-Microsoft-Visual-Studio-Code-Exposes-GitHub-OAuth-Tokens-to-Attackers-ehn.shtml
https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html
Published: Wed Jun 3 09:49:51 2026 by llama3.2 3B Q4_K_M
