All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

GitHub Zero-Day in github.dev Could Expose Developer OAuth Tokens

3h ago· 1 min readenNews
Bagel score 38 of 100
38/100
Stale
Bagelometer

Best dunked in coffee. Better still, swap for a fresh one.

Score38TypenewsSentimentnegative

Summary

Security researcher Ammar Askar disclosed a zero-day vulnerability in GitHub's browser-based VSCode environment (github.dev) that could expose developer OAuth tokens. The attack involves tricking a developer into opening a compromised repository via github.dev, which loads a malicious extension. The vulnerability exploits how extensions communicate through a VSCode webview, enabling sandbox escape and token theft. Stolen tokens allow attackers to impersonate the developer, gaining read and write access to repositories, potentially enabling codebase deletion, private repo cloning, and malicious code injection. Microsoft implemented mitigations on June 3 following the disclosure.

Key quotes

· 5 pulled
Ammar Askar disclosed a zero-day in github.dev, GitHub's browser-based VSCode environment, that could expose GitHub OAuth tokens.
The vulnerability lies in how the extension communicates through a VSCode webview, allowing sandbox escape and token theft.
Stolen tokens can let attackers impersonate the developer and gain read access to repositories and organizational code.
The attacker can also obtain write access, enabling deletion of codebases, cloning private repositories, and pushing malicious code to production software.
Microsoft added mitigations on June 3 per the disclosure timeline.
Snippet from the RSS feed
Ammar Askar disclosed a zero-day in github.dev, GitHub’s browser-based VSCode environment, that could expose GitHub OAuth tokens. The attack starts by tricking a developer into opening a compromised repository via github.dev, which then loads a malicious

You might also wanna read

GitHub Token Theft Vulnerability Discovered in VSCode's Browser-Based github.dev Feature

A security vulnerability in GitHub's github.dev feature (browser-based VSCode) allows attackers to steal GitHub tokens with read/write acces

blog.ammaraskar.com·2d ago

Security Researcher Discovers Vulnerabilities in VSCode Extensions and Core Software

A security researcher details their discovery and disclosure of three vulnerabilities in VSCode extensions and one in VSCode itself (CVE-202

blog.trailofbits.com·3mo ago

GitHub confirms breach of 3,800 repos via malicious VSCode extension

bleepingcomputer.com·15d ago

Microsoft bans security researcher from GitHub after zero-day exploit posts; researcher threatens retaliation

A security researcher known as Nightmare-Eclipse (Chaotic Eclipse) has been banned from Microsoft's GitHub platform after allegedly posting

tomshardware.com·7d ago

Microsoft bans security researcher from GitHub after zero-day exploit posts; researcher threatens retaliation

A security researcher known as Nightmare-Eclipse (Chaotic Eclipse) has been banned from Microsoft's GitHub platform after allegedly posting

tomshardware.com·7d ago

GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery

GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

The Verge·1mo ago

Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code

The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re

aikido.dev·2mo ago