top of page
perceptive_background_267k.jpg

One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

Published:

3 juni 2026 om 12:58:22

Alert date:

3 juni 2026 om 14:00:57

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Identity & Access, Enterprise Applications

Cybersecurity researchers disclosed a one-click attack via Microsoft Visual Studio Code that allows attackers to steal GitHub OAuth tokens. The attack exploits GitHub.dev functionality and requires only clicking a malicious link. Stolen tokens provide read and write access to repositories, including private ones. The vulnerability affects the OAuth authentication flow in VS Code's GitHub integration.

Technical details

The vulnerability exploits GitHub.dev's web-based VS Code environment by leveraging malicious VS Code extensions that steal GitHub OAuth tokens. The attack works by exploiting message-passing mechanisms between the main VS Code window and webviews, using malicious JavaScript to simulate keypresses (keydown events), opening the Command Palette via Ctrl+Shift+P, and installing attacker-controlled extensions. The exploit bypasses security checks by using local workspace extensions feature, placing malicious extensions in the .vscode/extensions folder to avoid publisher trust dialogs. The stolen OAuth tokens have full access to all repositories the victim can access, not just the specific repo being viewed.

Mitigation steps:

Microsoft has acknowledged the vulnerability and is working on a fix. Users should be cautious when clicking links that open GitHub.dev, especially from untrusted sources. Monitor for unauthorized extension installations and unexpected GitHub API activity. The issue only affects VS Code web version (GitHub.dev), not VS Code Desktop.

Affected products:

GitHub.dev web-based editor
Microsoft Visual Studio Code (web version)
GitHub OAuth implementation

Related links:

https://blog.ammaraskar.com/github-token-stealing/
https://github.com/github/dev
https://docs.github.com/en/codespaces/the-githubdev-web-based-editor
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://code.visualstudio.com/api/extension-guides/webview
https://code.visualstudio.com/updates/v1_89#_local-workspace-extensions
https://code.visualstudio.com/docs/configure/extensions/extension-runtime-security#_extension-publisher-trust
https://github.com/microsoft/vscode/issues/319593
https://blog.ammaraskar.com/vscode-rce/
https://starlabs.sg/blog/2025/05-breaking-out-of-restricted-mode-xss-to-rce-in-visual-studio-code/

Related CVE's:

Related threat actors:

IOC's:

Malicious VS Code extensions in .vscode/extensions folder, Unauthorized keydown events triggering Ctrl+Shift+P, Suspicious extension installations without trust dialogs, Unexpected GitHub API queries to enumerate private repositories

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page