Security researcher Ammar Askar published details of an attack on the GitHub.dev browser environment that makes it possible to steal a GitHub OAuth token with read and write permissions to all repositories available to the user, including private ones. Exploitation requires just a single click on a malicious link. Microsoft has confirmed the vulnerability and stated that it is working on a fix, clarifying that the desktop version of VS Code is not affected. A CVE identifier and CVSS score had not been assigned at the time of publication, but a public PoC exploit exists.
Attack mechanism
GitHub.dev is a lightweight web-based code editor built on VS Code that runs in a browser sandbox. It allows you to submit pull requests and make commits directly from the browser. For authentication, GitHub.com passes an OAuth token to GitHub.dev via a POST request. According to the researcher, this token is not restricted to a specific repository and provides access to all repositories available to the user.
The exploitation chain consists of several stages:
- Executing JavaScript in a webview — the attacker uses the postMessage mechanism for passing messages between the main VS Code window and webview components (used for rendering Markdown previews and editing Jupyter notebooks). Malicious JavaScript is executed inside an untrusted webview.
- Simulating keystrokes — the script emulates keydown events in the main editor window, triggering the Ctrl+Shift+P combination to open the command palette.
- Installing a malicious extension — via the command palette, an attacker-controlled extension is installed, which intercepts the OAuth token passed to GitHub.dev.
- Data exfiltration — the extension uses the GitHub API to enumerate all private repositories that the victim can access.
Bypassing publisher trust verification
The key element of the attack is the use of the local workspace extensions feature. If an extension is placed in the .vscode/extensions folder inside the workspace, it is installed without an additional publisher trust confirmation dialog. In addition, extensions can register their own keybindings through package.json, which allows an attacker to programmatically invoke arbitrary VS Code commands, including installing extensions while bypassing the trust check.
Impact assessment
The vulnerability poses a serious threat to developers who actively use GitHub.dev to work with repositories. The main risks are:
- Compromise of source code — according to the researcher, the stolen token grants read and write permissions to all accessible repositories, opening the door for injecting malicious code into the software supply chain.
- Access to private repositories — the attacker gains the ability to enumerate and read the contents of private repositories, which may contain confidential information, API keys, and infrastructure secrets.
- Attack scalability — exploitation requires only a single click from the victim, making it suitable for large-scale phishing campaigns targeting developers.
It is important to emphasize: there are currently no confirmed cases of this vulnerability being exploited in real-world attacks. Status — public PoC code is available. The exact scope of the OAuth token’s permissions is based on the researcher’s statements and has not been confirmed by an official security bulletin from Microsoft or GitHub.
Disclosure context
The researcher reported the vulnerability to the microsoft/vscode issue tracker on June 2, 2026, and almost immediately published the technical details. He explained this disclosure approach by referring to his previous experience interacting with Microsoft on VS Code vulnerabilities — in particular, pointing to cases where similar issues were not fixed in a timely manner. Microsoft Partner Software Engineering Manager Alexandru Dima confirmed that the company is working on a fix and separately clarified that the desktop version of VS Code is not affected by this vulnerability.
Recommendations
Until Microsoft releases an official fix, it is advisable to take the following measures:
- Minimize the use of GitHub.dev — for working with private and mission-critical repositories, it is preferable to use the desktop version of VS Code or GitHub CLI, which are not affected by this attack.
- Review active OAuth tokens — in GitHub settings (Settings → Applications → Authorized OAuth Apps), verify that there are no suspicious authorizations and revoke unused tokens.
- Review audit logs — for organizations on GitHub Enterprise, examine the audit log for anomalous repository operations (mass cloning, unexpected commits).
- Avoid clicking suspicious links that lead to GitHub.dev, especially those received by email or in messengers.
- Limit token scope — when using the GitHub API and integrations, prefer fine-grained personal access tokens with the minimum required permissions instead of classic tokens with broad access.
Developers and organizations that actively use GitHub.dev should temporarily switch to the desktop version of VS Code for work with private repositories and monitor the status of the fix in Microsoft’s issue tracker. Given the public availability of PoC code and the lack of a patch, the window for potential exploitation remains open — reviewing active OAuth authorizations in GitHub settings is a priority action right now.
