A serious vulnerability in Visual Studio Code (VS Code) has been disclosed, allowing attackers to steal GitHub tokens with minimal interaction. Security researcher Ammar Askar identified the flaw in Microsoft's widely-used code editor and chose to release the details publicly without prior notification to Microsoft. This decision came after a past negative experience with the company's vulnerability reporting process. Askar made his findings public on June 2, shortly after notifying a member of GitHub's security team. Microsoft quickly responded by releasing a fix the next day.

The vulnerability exploits a specially crafted Jupyter notebook. When opened on github.dev, a web-based version of VS Code, hidden code within the notebook simulates keystrokes to install a malicious extension. This extension then captures the victim's GitHub token, granting the attacker full access to the victim's repositories, including private ones. Simply clicking a link to the malicious notebook is enough to trigger the attack.

While the vulnerability primarily affects the web version of VS Code, the desktop version is also susceptible. However, exploiting this requires more user interaction. In some cases, it could lead to remote code execution on the victim's device. As of now, the desktop version has not been patched.

This incident is part of a broader trend where researchers release details of vulnerabilities without notifying Microsoft, sometimes due to dissatisfaction with the company's handling of previous reports. Microsoft has faced criticism and legal challenges over its responses to zero-day disclosures, and the cybersecurity community continues to debate the best approaches to vulnerability reporting and patching.