Ethical Hacking News
Microsoft Exploits Leaked: Another Bug Hunter Defies Company's Handling of Vulnerability Disclosures
Ammar Askar has leaked a proof-of-concept (PoC) exploit for a Visual Studio Code (VS Code) vulnerability, affecting anyone who has ever used github.dev. The leak comes as a follow-up to a similar incident involving Nightmare Eclipse, a suspected former Microsoft employee who has been making waves in the security community with their zero-day exploits.
A bug hunter has leaked a previously unpatched vulnerability in Microsoft's Visual Studio Code (VS Code). The leak comes after a similar incident involving Nightmare Eclipse, a suspected former Microsoft employee who exposed zero-day exploits. The vulnerability affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code. Researchers are calling for more effective communication between researchers and affected parties due to past negative experiences with Microsoft's Security Response Center (MSRC).
In a shocking turn of events, yet another bug hunter has taken to the web to expose a previously unpatched vulnerability in Microsoft's Visual Studio Code (VS Code). This latest leak comes on the heels of a similar incident involving Nightmare Eclipse, a suspected former Microsoft employee who has been making waves in the security community with their zero-day exploits. The leaked exploit, which affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code, has left many wondering how such a critical vulnerability went undetected for so long.
According to Ammar Askar, the bug hunter behind this latest leak, his decision to disclose the vulnerability was influenced by past negative experiences with Microsoft's Security Response Center (MSRC). In a blog post detailing his experience with MSRC, Askar shared that his previous report on a VSCode bug was met with silence and marked as not having any security impact. He also cited a recent report from Starlabs on a VSCode XSS bug marked as ineligible and low severity, which only served to reinforce his distrust of the company's handling of vulnerability disclosures.
Askar's approach is reminiscent of Nightmare Eclipse's method of leaking zero-days without informing Microsoft beforehand. While both researchers are motivated by a desire to expose vulnerabilities in order to improve security, their methods differ in terms of the relationship between the researcher and the affected party. In this case, Askar chose to go public with his findings, publishing a proof-of-concept (PoC) exploit for the VS Code vulnerability roughly an hour after disclosing it to "an old contact" at GitHub.
The leaked exploit involves attackers configuring repos to push malicious VS Code extensions via the Workspace Recommendations feature. Once installed, these extensions can steal OAuth tokens that can be used to read and write public and private GitHub repositories. This vulnerability affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code.
According to Askar, the feature is enabled by GitHub passing an OAuth token over to GitHub.dev and, crucially, this token is not limited to the repo from which GitHub.dev was spun up. It means that this token can hand an attacker access to any other repo – public or private – to which the target also has access.
The exploit is contingent on an attacker being able to modify a repo's .vscode/extensions.json file and recommending an attacker-controlled extension for the browser-based VS Code instance. In normal scenarios, a pop-up would appear asking for a user to accept the installation of this extension, potentially tipping them off to foul play. However, because of the way in which the attacker delivers the repo to the target, they already have a Jupyter Notebook file running in the target's GitHub.dev before the extension is installed.
The attacker must initially get the target to open their repo using a GitHub.dev link that points to this ipynb file, which VS Code immediately opens inside a Webview. Inside the Jupyter Notebook is a hidden HTML snippet inside a Markdown cell, which when loaded allows attacker-controlled JavaScript code to run. This code fires a simulated keyboard shortcut, which VS Code bubbles up to the main editor, tricking the system into automatically accepting the malicious extension popup.
The attacker-controlled extension is then running with access to the browser environment, and steals the OAuth token, which can be used to read and change any public or private repo. This vulnerability has left many wondering how such a critical vulnerability went undetected for so long, and highlights the need for more effective communication between researchers and affected parties.
In response to this leak, Microsoft has yet to comment on whether they will take steps to address this vulnerability. However, in light of past experiences with MSRC, it is likely that some form of action will be taken.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Exploits-Leaked-Another-Bug-Hunter-Defies-Companys-Handling-of-Vulnerability-Disclosures-ehn.shtml
https://www.theregister.com/security/2026/06/03/another-bug-hunter-leaks-microsoft-exploits-in-defiance-of-companys-handling-of-vulnerability-disclosures/5250590
Published: Wed Jun 3 09:42:47 2026 by llama3.2 3B Q4_K_M
