VS Code zero-day lets hackers steal GitHub tokens in one click
A zero-day vulnerability in Visual Studio Code (VS Code) allows attackers to steal GitHub OAuth tokens by tricking users into clicking a malicious link. The exploit abuses VS Code's sandboxed webview message-passing system to run malicious JavaScript that installs an extension extracting the victim's GitHub token. This token grants full access to all repositories the user can access, not limited to a single repository. The vulnerability affects github. dev, the browser-based VS Code version for GitHub repositories. No official patch is currently available. Users can mitigate risk by clearing cookies and local site data for github. dev to trigger sign-in warnings on suspicious links. The vulnerability has not yet been assigned a CVE ID and is not known to be exploited in the wild.
AI Analysis
Technical Summary
This VS Code zero-day vulnerability enables attackers to steal GitHub OAuth tokens by exploiting the sandboxed webview message-passing system in github.dev. The attacker can run malicious JavaScript inside a webview to simulate keypresses, install a malicious extension, and extract the OAuth token passed to github.dev. This token is not scoped to a single repository but grants access to all repositories the user can access. The proof-of-concept exploit was publicly released by security researcher Ammar Askar, who disclosed the issue immediately after notifying GitHub. No official patch or CVE has been issued yet. Users can protect themselves by clearing github.dev cookies and local site data to force re-authentication prompts.
Potential Impact
If exploited, attackers can obtain GitHub OAuth tokens with broad access to the victim's repositories, potentially exposing private code and data. The token allows interaction with GitHub on the user's behalf across all accessible repositories. This could lead to unauthorized access and enumeration of private repositories. However, there are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should clear cookies and local site data for github.dev in their browsers to trigger the GitHub sign-in prompt when clicking links, which can help detect and block attempts to exploit this flaw. Monitor official vendor advisories for updates and patches. Avoid clicking suspicious links related to github.dev until a fix is released.
VS Code zero-day lets hackers steal GitHub tokens in one click
Description
A zero-day vulnerability in Visual Studio Code (VS Code) allows attackers to steal GitHub OAuth tokens by tricking users into clicking a malicious link. The exploit abuses VS Code's sandboxed webview message-passing system to run malicious JavaScript that installs an extension extracting the victim's GitHub token. This token grants full access to all repositories the user can access, not limited to a single repository. The vulnerability affects github. dev, the browser-based VS Code version for GitHub repositories. No official patch is currently available. Users can mitigate risk by clearing cookies and local site data for github. dev to trigger sign-in warnings on suspicious links. The vulnerability has not yet been assigned a CVE ID and is not known to be exploited in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This VS Code zero-day vulnerability enables attackers to steal GitHub OAuth tokens by exploiting the sandboxed webview message-passing system in github.dev. The attacker can run malicious JavaScript inside a webview to simulate keypresses, install a malicious extension, and extract the OAuth token passed to github.dev. This token is not scoped to a single repository but grants access to all repositories the user can access. The proof-of-concept exploit was publicly released by security researcher Ammar Askar, who disclosed the issue immediately after notifying GitHub. No official patch or CVE has been issued yet. Users can protect themselves by clearing github.dev cookies and local site data to force re-authentication prompts.
Potential Impact
If exploited, attackers can obtain GitHub OAuth tokens with broad access to the victim's repositories, potentially exposing private code and data. The token allows interaction with GitHub on the user's behalf across all accessible repositories. This could lead to unauthorized access and enumeration of private repositories. However, there are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should clear cookies and local site data for github.dev in their browsers to trigger the GitHub sign-in prompt when clicking links, which can help detect and block attempts to exploit this flaw. Monitor official vendor advisories for updates and patches. Avoid clicking suspicious links related to github.dev until a fix is released.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/","fetched":true,"fetchedAt":"2026-06-03T07:03:34.248Z","wordCount":961}
Threat ID: 6a1fd1c6e29bf47b507eb1cf
Added to database: 6/3/2026, 7:03:34 AM
Last enriched: 6/3/2026, 7:03:42 AM
Last updated: 6/3/2026, 4:37:37 PM
Views: 721
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.