Back

GitHub Token Theft Vulnerability Exploited via github.dev

Severity: High (Score: 63.0)

Sources: en.wikipedia.org, blog.ammaraskar.com, News.Ycombinator

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: github, token, just, clicking, link, possible, attacker

Summary

A vulnerability has been identified that allows attackers to steal GitHub OAuth tokens by exploiting the github.dev feature. This feature enables users to access a lightweight version of VSCode in their browser, which can interact with GitHub repositories. The OAuth token is not limited to a specific repository, granting full access to all repositories the user can access. Attackers can leverage bugs in the VSCode webviews to exfiltrate these tokens. The attack vector relies on the ability to execute JavaScript within the webviews, which are designed to isolate content for security. This vulnerability poses a significant risk to users with access to private repositories. As of now, no patches or fixes have been reported. Users are advised to be cautious when using the github.dev feature. Key Points: • Attackers can steal GitHub OAuth tokens via the github.dev feature. • The vulnerability allows full access to all repositories linked to the stolen token. • No patches or fixes have been reported as of now.

Detailed Analysis

**Impact** Users of GitHub who utilize the github.dev feature are affected, including those with access to private repositories. The stolen OAuth tokens grant full read and write permissions across all repositories accessible by the user, potentially exposing sensitive source code and intellectual property. The scope includes individual developers, enterprises, and organizations relying on GitHub for code management globally. No specific numbers or sectors were provided. **Technical Details** The attack exploits a vulnerability in the github.dev web-based VSCode environment where OAuth tokens with broad repository access are POSTed without repo-specific scoping. The vulnerability leverages the interaction between VSCode’s webviews sandboxed in different origins and the Window.postMessage() API to exfiltrate tokens via malicious JavaScript execution within webviews. No CVEs or malware names were mentioned. The attack occurs at the initial access and credential theft stages of the kill chain. **Recommended Response** Defenders should monitor for unusual OAuth token usage and restrict token scopes to the minimum necessary permissions. GitHub should implement stricter token scoping for github.dev and review sandboxing and message-passing mechanisms in VSCode webviews. Users should avoid clicking untrusted links that open github.dev sessions and revoke potentially compromised tokens immediately. No specific patches or IOCs were provided in the sources.

Source articles (3)

  • 1 — News.Ycombinator · 2026-06-02
    Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones . Did you know GitHub has this really cool feature called g…
  • Github Token Stealing — blog.ammaraskar.com · 2026-06-03
    Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones . Did you know GitHub has this really cool feature called g…
  • Same Origin Policy — en.wikipedia.org · 2026-06-03

Timeline

  • 2026-06-02 — Vulnerability reported: A vulnerability allowing GitHub token theft via github.dev was reported, affecting users with access to private repositories.
  • 2026-06-03 — Blog post details attack method: A blog post elaborated on how attackers can exploit the vulnerability using VSCode's webviews to exfiltrate OAuth tokens.

Related entities

  • Data Breach (Attack Type)
  • XSS (Vulnerability)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Cwe-352 - Cross-Site Request Forgery (csrf) (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • extensions.as (Domain)
  • github.dev (Domain)
  • hackerman.com (Domain)
  • out.so (Domain)
  • vscode-cdn.net (Domain)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Chrome (Tool)
  • Google Chrome (Tool)
  • Electron (Platform)
  • GitHub (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed