Full Report
A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link. [...]
Analysis Summary
# Vulnerability: GitHub Authentication Token Theft via VS Code Webview
## CVE Details
- CVE ID: None (Zero-day)
- CVSS Score: Not yet assigned (Estimated High/Critical)
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-94 (Improper Control of Generation of Code)
## Affected Systems
- Products: Visual Studio Code (VS Code), specifically github.dev (browser-based)
- Versions: All versions prior to June 3, 2026 (Unpatched at time of report)
- Configurations: Users logged into github.dev with active GitHub sessions
## Vulnerability Description
The flaw resides in VS Code's sandboxed webview message-passing system. Attackers can leverage malicious JavaScript running inside a webview to simulate keypresses within the main editor. This enables the unauthorized installation of extensions.
When a user interacts with github.dev, github.com POSTs an OAuth token to the browser-based editor to facilitate repository interaction. This token is not scoped to a specific repository, providing full access to all private repositories associated with the victim's account. The vulnerability allows a malicious extension to intercept this OAuth token and exfiltrate it to an attacker-controlled server.
## Exploitation
- Status: PoC available; Publicly disclosed
- Complexity: Medium (Requires social engineering/one-click)
- Attack Vector: Network (Web-based link)
## Impact
- Confidentiality: High (Full access to all private GitHub repositories)
- Integrity: High (Ability to modify code and repository settings)
- Availability: Low (Primary risk is data theft)
## Remediation
### Patches
- As of the date of disclosure, there is **no official patch** available from Microsoft.
### Workarounds
- **Clear Site Data:** Clear cookies and local site data specifically for `github.dev` in your browser.
- **Enable Warnings:** By clearing local data, the browser should re-trigger a consent prompt: *"The extension 'GitHub Repositories' wants to sign in using GitHub."* Do not grant this permission unless you initiated the action.
- **Avoid Untrusted Links:** Refrain from clicking suspicious links that redirect to `github.dev` or `vscode.dev`.
## Detection
- **Indicators of Compromise:** Unauthorized access logs in GitHub account security history; presence of unknown or suspicious extensions in the VS Code web-based environment.
- **Detection methods:** Monitor GitHub personal access token (PAT) and OAuth token usage for anomalies or connections from unrecognized IP addresses.
## References
- hxxp[://]blog[.]ammaraskar[.]com/github-token-stealing/
- hxxps[://]github[.]com/microsoft/vscode/issues/319593
- hxxps[://]github[.]com/ammaraskar/github-dev-token-steal-poc/
- hxxps[://]www[.]bleepingcomputer[.]com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/