Cybersecurity experts have revealed a vulnerability in Microsoft Visual Studio Code (VS Code) that enabled attackers to steal GitHub OAuth tokens with a single click. This exploit, detailed by security researcher Ammar Askar, allowed unauthorized access to both public and private repositories by exploiting GitHub.dev, a lightweight web-based code editor. The vulnerability arose because GitHub.dev uses an OAuth token to interact with GitHub repositories, which was not limited to a specific repository. This meant a compromised token could access all repositories the user had rights to.
The attack involved manipulating VS Code's message-passing mechanism between the main application window and webviews, which are typically used for tasks like Markdown previews. By running malicious JavaScript in an untrusted webview, attackers could simulate keypress events to open the Command Palette and install extensions that extract OAuth tokens. This was further facilitated by leveraging VS Code's local workspace extensions feature, which allows extensions to be installed without a trust prompt if placed in the '.vscode/extensions' directory.
The vulnerability was reported to GitHub on June 2, 2026, and Microsoft promptly acknowledged the issue and implemented a fix. Alexandru Dima, a partner software engineering manager at Microsoft, clarified that the vulnerability did not affect VS Code Desktop. Microsoft confirmed that the issue has been mitigated for its services and no customer action is required, ensuring the security of GitHub users against this particular threat.