All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

VS Code vulnerability in github.dev allows attackers to steal GitHub OAuth tokens via malicious links

By

Markus Kasanmascheff

1d ago· 4 min readenNews
Bagel score 90 of 100
90/100
Golden Brown
Bagelometer

The kind of bagel that ruins lesser bagels for you.

Score90TypenewsSentimentnegative

Summary

Security researcher Ammar Askar released exploit code for a Visual Studio Code vulnerability that can steal GitHub OAuth tokens when a victim clicks a single github.dev repository link. The attack chain exploits the OAuth token granted to GitHub's browser-based editor, which can then access not just the opened repository but potentially all repositories the user has access to. The exploit exposes private repositories and poses significant risk to developers and organizations while they await a patch from Microsoft/GitHub.

Key quotes

· 3 pulled
Security researcher Ammar Askar released exploit code on June 2 for a Visual Studio Code flaw that can steal GitHub tokens after a victim clicks one github.dev repository link.
GitHub's browser editor receives an OAuth token that lets the session act for the signed-in user, and the disclosed chain can reach repositories beyond the one that opened the editor.
One stolen token can reach every repository the user
Snippet from the RSS feed
A VS Code exploit for github.dev can steal GitHub OAuth tokens after one malicious link, exposing private repositories while teams await a patch.

You might also wanna read

GitHub Token Theft Vulnerability Discovered in VSCode's Browser-Based github.dev Feature

A security vulnerability in GitHub's github.dev feature (browser-based VSCode) allows attackers to steal GitHub tokens with read/write acces

blog.ammaraskar.com·3d ago

GitHub confirms breach of 3,800 repos via malicious VSCode extension

bleepingcomputer.com·16d ago

Security Researcher Discovers Vulnerabilities in VSCode Extensions and Core Software

A security researcher details their discovery and disclosure of three vulnerabilities in VSCode extensions and one in VSCode itself (CVE-202

blog.trailofbits.com·3mo ago

Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code

The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re

aikido.dev·2mo ago

GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery

GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

The Verge·1mo ago

Critical RCE vulnerability CVE-2026-3854 discovered in GitHub's internal git infrastructure

Wiz Research discovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure affecting both GitHub.com and GitHu

Wiz.io·1mo ago