top of page
perceptive_background_267k.jpg

VS Code zero-day lets hackers steal GitHub tokens in one click

Published:

3 June 2026 at 06:50:30

Alert date:

3 June 2026 at 07:01:00

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Zero-Day Vulnerabilities, Web Technologies, Enterprise Applications

A security researcher disclosed a zero-day vulnerability in Visual Studio Code that allows attackers to steal GitHub authentication tokens through a one-click exploit. The vulnerability enables token theft by tricking users into clicking a malicious link. Exploit code has been publicly released for this critical security flaw affecting VS Code users who have GitHub integration enabled. This represents a significant supply chain risk as VS Code is widely used by developers worldwide.

Technical details

A zero-day vulnerability in Visual Studio Code allows attackers to steal GitHub OAuth tokens by exploiting VS Code's sandboxed webview message-passing system. The exploit installs malicious extensions that steal GitHub OAuth tokens when passed to github.dev by running malicious JavaScript inside a webview to simulate keypresses in the main editor. The vulnerability abuses the system where github.com POSTs OAuth tokens to github.dev, and these tokens have full access to all repositories the victim can access, not just the specific repository being accessed.

Mitigation steps:

Clear cookies and local site data for github.dev in browser by clicking the Settings icon in the URL bar, then going to Cookies and site data > Manage on-device site data. This will ensure users get a warning dialog 'The extension GitHub Repositories wants to sign in using GitHub' when clicking on potentially malicious links.

Affected products:

Visual Studio Code
github.dev
GitHub OAuth tokens

Related links:

https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-zero-day-vulnerabilities
http://blog.ammaraskar.com/github-token-stealing/
https://github.com/ammaraskar/github-dev-token-steal-poc/
https://github.com/microsoft/vscode/issues/319593
https://www.reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/opcq1l7/
http://blog.ammaraskar.com/vscode-rce/#microsoft-security-and-vscode

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page