By ByteBot
Security researcher Ammar Askar disclosed today, June 3, a chained exploit in VSCode that steals your GitHub OAuth token with a single click on a crafted link. The attack requires no malware, no phishing page, and no social engineering beyond convincing you to open a github.dev URL — something developers do dozens of times a day. As of this writing, Microsoft has not confirmed a patch.
The token stolen is not scoped to a single repository. It is your full github.dev session credential, with read and write access to every GitHub repository your account can reach — public, private, and organizational. One click hands an attacker the keys to your entire codebase.
How the VSCode GitHub Token Stealing Attack Works
The exploit chains four separate VSCode design features that are each individually reasonable but collectively dangerous. First, VSCode webviews can forward keydown events to the main application window — a legitimate accessibility feature for keyboard shortcuts. Second, Jupyter notebook markdown cells execute JavaScript via <img onerror> handlers when rendered inside a webview. Third, VSCode’s trusted workspace feature loads local extensions from a repo’s .vscode/extensions/ directory without verifying the publisher. Fourth, installed extensions can contribute custom keybindings that trigger other VSCode commands, including extension installation, with certain security checks bypassed.
In practice: an attacker creates a GitHub repository containing a Jupyter notebook with an embedded JavaScript payload and a pre-built malicious extension in .vscode/extensions/. When a victim opens the notebook via a github.dev link, the JavaScript sends synthetic Ctrl+Shift+A keystrokes — accepted by VSCode as legitimate input — to dismiss the workspace extension install prompt. A follow-up Ctrl+F1 triggers the installed extension’s custom keybinding. The extension reads the GitHub OAuth token from the session and exfiltrates it. The entire chain executes silently in seconds, with no visual indicator to the victim.
The full technical disclosure is available on Askar’s blog and is currently trending on Hacker News with 228 points.
What Attackers Can Do With That Token
The github.dev OAuth session token does not limit access to the repository you were browsing. It scopes to your entire GitHub account. An attacker who captures it can read all your private source code, push malicious commits to any branch, modify CI/CD configuration files to inject backdoors into your build pipeline, access any secrets accidentally committed to repo history, and create or delete repositories. None of this requires your GitHub password or 2FA device — the token bypasses both.
This is what makes github.dev’s token model a problem independent of any specific bug: the token is too powerful. GitHub Codespaces takes the opposite approach, using container-isolated environments with per-session, per-repo scoped credentials. The community reaction on Hacker News was blunt: “It’s a pity that the web embedded VSCode editor is signed into GitHub at all.” Microsoft made a design tradeoff between convenience and blast radius, and chose the wrong one.
Related: CVE-2026-3854: GitHub Enterprise RCE via Git Push — Patch Now
Microsoft’s Track Record Here Is Not Reassuring
Askar’s disclosure follows a familiar pattern. Microsoft’s Security Response Center has a documented habit of silently patching VSCode vulnerabilities without assigning CVEs or crediting researchers. When extensions were previously found capable of reading other extensions’ OAuth tokens — including GitHub and Microsoft account tokens — Microsoft responded that this was “an inherent result of their design choice” and declined to fix it. The developer community’s frustration is long-running: “A lot of people have the same story — they silently patch the bug and don’t even credit you.”
No CVE has been assigned to this specific chaining exploit. No fix timeline has been communicated. Given Microsoft’s track record on similar architectural issues, developers should plan around the possibility that a fix does not arrive quickly.
Related: TeamPCP Backdoors Checkmarx Jenkins Plugin: Your Security Scanner Is the Backdoor
What You Should Do Right Now
Until Microsoft ships a verified fix, treat github.dev links from any unfamiliar source as potentially hostile. The following steps reduce your exposure immediately:
- Clear all cookies and local storage for github.dev in your browser — this invalidates the current session token
- Go to GitHub Settings → Applications and revoke any OAuth tokens you do not recognize
- Rotate any secrets or credentials accessible in your repositories
- Avoid opening github.dev links shared in issues, Discord, Slack, or social media until a patch ships
- For automation and CI/CD, switch to GitHub fine-grained personal access tokens — these are scoped to specific repos and permissions, so a single compromised token cannot expose your entire account
Key Takeaways
- A chained VSCode exploit disclosed today allows GitHub token theft via a single github.dev link click — no patch confirmed yet
- The stolen token has full read/write access to all your GitHub repos; it is not scoped to the repository you were viewing
- Four native VSCode features chain into the exploit — no single feature is obviously broken in isolation
- Microsoft’s track record on similar design-flaw security reports is to silently patch without CVE assignment or researcher credit
- Immediate action: clear github.dev cookies, revoke unrecognized OAuth tokens, and switch automation to fine-grained PATs
