Cybersecurity researchers have uncovered a significant vulnerability affecting **Microsoft Visual Studio Code (VS Code)** when used with **GitHub.dev**, a web-based code editor. This exploit enables a one-click attack that can compromise a user's **GitHub** token, providing unauthorized access to their repositories. "Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," warned security researcher **Ammar Askar** in his detailed blog post [said](https://blog.ammaraskar.com/github-token-stealing/).  ### Understanding GitHub.dev and the Token Flow **GitHub.dev** operates as a [lightweight web-based source code editor](https://docs.github.com/en/codespaces/the-githubdev-web-based-editor) directly within a web browser's sandbox, facilitating actions like sending pull requests and making commits. This functionality relies on **github.com** securely POSTing an **OAuth** token to **GitHub.dev**, authorizing it to interact with **GitHub** on the user's behalf. Crucially, this **OAuth** token is not scoped to a specific repository. Instead, it grants full access to every repository the user can access, making its compromise highly impactful. ### The Exploit Mechanism The vulnerability allows attackers to install malicious **VS Code** extensions that intercept these sensitive **GitHub OAuth** tokens. The core of the exploit lies in abusing a [message-passing mechanism](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) between the main **VS Code** window and its [webviews](https://code.visualstudio.com/api/extension-guides/webview), which are used for rendering content like Markdown previews or Jupyter notebooks.  Specifically, the exploit executes malicious JavaScript within an untrusted webview. This script simulates keypresses (**Ctrl+Shift+P**) in the main editor window, opening the **Command Palette**. It then programmatically installs an attacker-controlled extension. This malicious extension subsequently extracts the **GitHub OAuth** token passed to **GitHub.dev** and queries the **GitHub API** to enumerate all private repositories accessible to the victim. ### Bypassing Trust Checks The attack further leverages a **VS Code** feature known as [local workspace extensions](https://code.visualstudio.com/updates/v1_89#_local-workspace-extensions). This feature permits extensions to be directly installed by placing them in the `.vscode/extensions` folder within a workspace, effectively bypassing the standard [trust dialog prompt](https://code.visualstudio.com/docs/configure/extensions/extension-runtime-security#_extension-publisher-trust). Askar explained, "This is just a small hiccup though, one of the things that extensions can do as part of their package.json is to contribute extra keybindings to VS Code. Since we can reliably trigger keybindings, we can just add a keybind for whatever VS Code command we want, such as installing an extension while skipping the trusted publisher check." ### Disclosure and Microsoft's Response **GitHub** was [notified](https://github.com/microsoft/vscode/issues/319593) of this vulnerability on June 2, 2026. However, details of the issue were made public shortly after, a decision **Askar** attributed to **Microsoft**'s past [handling](https://blog.ammaraskar.com/vscode-rce/) of similar [VS Code-related bugs](https://starlabs.sg/blog/2025/05-breaking-out-of-restricted-mode-xss-to-rce-in-visual-studio-code/). Initially, **Microsoft** acknowledged the vulnerability and confirmed it was working on a fix. **Alexandru Dima**, a partner software engineering manager at **Microsoft**, clarified that "this issue does not affect **VS Code Desktop**." ### Update: Vulnerability Mitigated Following the public disclosure, **Microsoft** confirmed that the vulnerability has been addressed. "This issue has been mitigated for our services and no customer action is required," a **Microsoft** spokesperson stated, indicating that users of **GitHub.dev** are now protected. Ghost Protocol will continue to monitor for further details on the fix and any related security advisories.