All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

GitHub Token Theft Vulnerability Discovered in VSCode's Browser-Based github.dev Feature

By

ammar2

1d ago· 12 min readenInsight
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Sesame, salt, and substance. A flagship bake.

Score100TypeanalysisSentimentnegative

Summary

A security vulnerability in GitHub's github.dev feature (browser-based VSCode) allows attackers to steal GitHub tokens with read/write access to both public and private repositories simply by getting a victim to click a malicious link. The article details how the attack works, the risks involved, and provides recommendations for mitigation and protection against this type of token theft.

Key quotes

· 3 pulled
Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones.
This browser instance of VSCode is pre
Did you know GitHub has this really cool feature called github.dev?
Snippet from the RSS feed
My blog, mostly about programming

You might also wanna read

GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery

GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

The Verge·1mo ago

VS Code Remote-SSH Vulnerability Enables Lateral Movement from Developer Machines to Cloud Servers

A critical vulnerability in Visual Studio Code's Remote-SSH extension creates a post-compromise attack path enabling threat actors to pivot

cybersecuritynews.com·5d ago

AI-Generated npm Package Leaks Its Own GitHub Token, Exposing Malware Operator

A malicious npm package named mouse5212-super-formatter, identified by OX Security, was caught leaking its own hardcoded GitHub token. This

infosecurity-magazine.com·4d ago

BUG in VS Code: "Publish to GitHub" defaults to broken HTTPS remote instead of SSH · Issue #318565

github.com·7d ago

npm malware targeting Claude users leaks own GitHub token, reaches 676 downloads

An npm package called "mouse5212-super-formatter" targeting Claude users acted as information-stealing malware, reaching 676 downloads befor

theregister.com·4d ago

Git Flex: Browser Extension Shows GitHub Contributor Statistics and Code Ownership

Git Flex is a simple browser extension that displays the top contributor and percentage of lines per author in GitHub repositories. The tool

Product Hunt·9mo ago