Cloud Solutions

VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click

Mohammad Irfan Aslam
Mohammad Irfan Aslam 8 hours ago • 7 min read
VS Code zero-day GitHub token theft security vulnerability

On 2 June 2026, security researcher Ammar Askar publicly dropped a proof-of-concept for a critical zero-day vulnerability in GitHub.dev — the browser-based version of Visual Studio Code — that lets an attacker steal a victim’s GitHub OAuth token with a single click. No elaborate phishing kit, no malware installation, no elevated privileges required. One carefully crafted link, one click from the target, and the attacker walks away with full read-write access to every GitHub repository the victim can reach — including private ones. Microsoft patched the server-side issue on 3 June 2026, but the public disclosure and the circumstances surrounding it have triggered a significant debate in the security community about responsible disclosure, developer toolchain security, and the trust relationship between researchers and large vendors.

What Exactly Was Vulnerable?

The vulnerability lies in the message-passing mechanism of VS Code’s sandboxed webview as implemented in GitHub.dev. To understand the flaw, it helps to understand how GitHub.dev authenticates users. When you open a repository on github.dev, GitHub authenticates the session by posting an OAuth token to the browser-based VS Code instance. This token is not scoped to the specific repository you opened — critically, it carries full access to every repository your account can reach. The token is handled through VS Code’s internal webview postMessage system, which is designed to be sandboxed. Askar found a way to escape that sandbox and intercept the token before it reached its intended destination.

The attack vector involves an attacker creating a specially crafted Jupyter notebook or link. When the victim opens it, the exploit triggers VS Code to execute code that accesses the OAuth token without user consent or visible indication that anything has happened. The victim sees nothing unusual. The attacker, meanwhile, receives a token granting them read-write access to the victim’s entire GitHub account — private repositories, organization repositories, everything.

“Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones.”

— Ammar Askar, security researcher

Why Askar Skipped Microsoft’s Official Disclosure Process

The disclosure itself was as notable as the vulnerability. Askar deliberately bypassed Microsoft’s Security Response Centre (MSRC) entirely — no 90-day disclosure window, no coordinated patch timeline, no MSRC ticket. Instead, he notified a contact at GitHub approximately one hour before publishing full technical details and working proof-of-concept code to the public.

His reasoning was explicit: he had been through the MSRC process before with a previous VS Code vulnerability and described it as a “horrible experience” in which Microsoft silently patched his reported flaw without giving him any credit. Burned by that experience, Askar decided that the standard responsible disclosure process was not worth repeating with the same vendor. The security community reaction was divided — many researchers expressed sympathy with his position while others argued that publishing a working exploit without an available patch put users at immediate risk.

Microsoft’s Response and the Patch

Microsoft responded relatively quickly given the public pressure. Alexandru Dima, a partner software engineering manager at Microsoft, moved to clarify the scope: “This issue does not affect VS Code Desktop.” The vulnerability is specific to github.dev — the browser-based environment — not the downloadable VS Code application installed on your machine.

Microsoft confirmed to The Hacker News that the vulnerability was addressed on 3 June 2026 at 7:30 AM PST, approximately 30 hours after Askar’s public disclosure. Crucially, the fix was server-side — meaning no user action was required and no update needed to be downloaded or installed. Microsoft’s spokesperson confirmed: “This issue has been mitigated for our services and no customer action is required.”

The Real-World Impact: What Could an Attacker Do?

With a stolen GitHub OAuth token of this scope, an attacker’s options are significant. They could clone every private repository on the victim’s account, extracting source code, configuration files, environment variables, hardcoded secrets, API keys, and internal documentation. They could push malicious commits to repositories, injecting backdoors into codebases that may then be deployed to production infrastructure. They could access organization repositories if the victim’s account is a member of a GitHub organization — extending the blast radius beyond a single developer to their entire employer’s codebase.

This is not a theoretical risk. A report from Rescana noted that the attack was actively exploited in the wild, with attackers accessing approximately 3,700 internal repositories at GitHub itself during the exposure window. The same report also flagged a related supply chain attack via a malicious Nx Console extension (version 18.95.0) that was available on the Visual Studio Marketplace from 12:30 UTC to 12:47 UTC on 18 May 2026 — a 17-minute window during which any developer with auto-updates enabled could have received the compromised extension.

A Broader Pattern: Developer Tools as Attack Surfaces

This incident is part of a growing pattern of attacks targeting developer tooling specifically. As security analyst commentary from reptile.haus noted, this is the third major IDE-targeting attack of 2026, following the GlassWorm campaign and the Copilot co-author incident earlier in the year. Developer tools are increasingly attractive to attackers because a successful compromise does not just affect one user — it can cascade through an entire supply chain. A developer’s machine and credentials are a stepping stone to the codebases they work on, the CI/CD pipelines that build and deploy software, and ultimately the production systems that millions of users depend on.

This connects directly to the broader challenge of vulnerability management in 2026 — the attack surface for enterprise organizations now extends deeply into developer workstations and the tools developers trust implicitly. Understanding how to manage and monitor endpoint protection for developer environments has become a critical organizational capability.

What Developers and Organizations Should Do

Microsoft’s server-side mitigation means the specific github.dev attack vector has been closed. However, the incident surfaces several broader security hygiene recommendations that every developer and organization should act on regardless:

  • Clear github.dev site data in your browser. Even with the server-side fix, clearing stored cookies and site data for github.dev removes any tokens that may have been cached in the browser during the exposure window.
  • Audit your GitHub OAuth token scopes. Review active OAuth applications authorized on your GitHub account at github.com/settings/applications and revoke any you do not recognize or actively use.
  • Review VS Code extension trust policies. Apply strict extension trust settings and consider disabling auto-updates for extensions, particularly in production development environments.
  • Enable GitHub fine-grained personal access tokens. Where possible, use GitHub’s fine-grained PATs rather than broad OAuth tokens, limiting the scope of what any credential can access.
  • Monitor for unauthorized repository access. Review GitHub audit logs for unexpected repository cloning or access events, particularly around 2–3 June 2026.

Conclusion

The VS Code github.dev zero-day is a sharp reminder that developer tools carry the same security risk profile as any other enterprise software — arguably more so given the privileged access developers have to codebases and infrastructure. Askar’s decision to skip the standard disclosure process highlights a genuine problem in the relationship between security researchers and large vendors: when researchers have repeatedly poor experiences with a vendor’s disclosure process, they make rational decisions to go around it, and the result is working exploit code in the public domain before patches are available. Microsoft’s relatively rapid server-side response suggests the lesson may have landed. The wider industry question — how to make responsible disclosure genuinely worthwhile for researchers — remains open.

Mohammad Irfan Aslam

Mohammad Irfan Aslam

Mohammad Irfan Aslam (also known as Muhammad Irfan Aslam or Rana Irfan) is an IT infrastructure specialist, DevOps engineer, and technology consultant based in Riyadh, Saudi Arabia. With over 6 years of hands-on experience in Linux system administration, VMware virtualization, Docker, cloud platforms (AWS, Azure, GCP), CI/CD pipelines, and enterprise networking, Irfan founded visittome.com to deliver professional IT services to businesses across Saudi Arabia and the GCC region. He is the author of in-depth technical guides on cybersecurity, Linux, cloud infrastructure, and enterprise IT published on this blog.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Saudi Arabia’s IT intelligence hub — cybersecurity, cloud, infrastructure & digital transformation for Vision 2030 businesses.

Riyadh, Kingdom of Saudi Arabia
Lahore, Pakistan (Dev Office)
info@visittome.com
Sun–Thu  9:00 AM – 6:00 PM AST

IT Solutions

Company

Why Visit To Me

Google News publisher
Riyadh-based IT experts
Vision 2030 aligned
NCA compliance coverage
Arabic & English content
Free IT Consultation →
© 2026 Visit To Me · IT HUB · Riyadh, Kingdom of Saudi Arabia · All rights reserved.
Privacy Policy Terms of Service Sitemap
💼
Visit Pro
AI Sales Assistant · Visit To Me
Powered by Claude AI · Visit To Me