Back

Zero-Day Vulnerability in VS Code Allows GitHub Token Theft via Malicious Links

Severity: High (Score: 71.0)

Sources: github.com, Bleepingcomputer, Cybersecuritynews, Gbhackers

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: code, github, vulnerability, attackers, steal, tokens, users

Severity indicators: vulnerability

Summary

A newly disclosed zero-day vulnerability in Visual Studio Code (VS Code) enables attackers to steal GitHub OAuth tokens by tricking users into clicking a malicious link. The flaw exploits the webview message-passing system in VS Code, allowing malicious extensions to be installed that can extract tokens with full access to private repositories. Security researcher Ammar Askar publicly disclosed this vulnerability on June 2, 2026, after notifying GitHub just an hour prior. Microsoft has not yet issued a patch or assigned a CVE ID for this issue. Users are advised to clear cookies and site data for github.dev to mitigate the risk. Askar's decision for immediate public disclosure stems from past negative experiences with Microsoft's security response process. This vulnerability is part of a concerning trend of zero-days affecting Microsoft products. Key Points: • A zero-day vulnerability in VS Code allows OAuth token theft from GitHub. • Attackers can exploit this flaw by tricking users into clicking malicious links. • No patch is currently available, and users are advised to clear site data for protection.

Detailed Analysis

**Impact** Users of Visual Studio Code, specifically those using the browser-based github.dev editor, are affected by this vulnerability. Attackers can steal GitHub OAuth tokens that grant full read and write access to all private repositories accessible by the victim, potentially exposing sensitive code and intellectual property. The flaw impacts developers and organizations relying on GitHub for source code management globally. No specific numbers or sectors were provided. **Technical Details** The vulnerability exploits VS Code’s sandboxed webview message-passing system by running malicious JavaScript that simulates keypresses to install extensions without user consent. This allows attackers to extract OAuth tokens passed from github.com to github.dev and use GitHub’s API to enumerate private repositories. No CVE has been assigned yet. The attack requires the victim to click a malicious link, enabling token theft during the initial access and credential access stages of the kill chain. No IOCs or malware hashes were provided. **Recommended Response** Users should immediately clear cookies and local site data for github.dev in their browsers to trigger explicit sign-in prompts before extensions are installed. Monitor for suspicious extension installation requests and unauthorized GitHub API activity. No official patch is available yet; therefore, users must exercise caution when clicking links related to github.dev. Organizations should monitor for unusual OAuth token usage and review access logs for anomalies.

Source articles (4)

  • 1-Click GitHub Token Vulnerability Lets Attackers Steal Users’ OAuth Tokens — Cybersecuritynews · 2026-06-03
    A critical security vulnerability in Visual Studio Code’s webview implementation allows attackers to steal GitHub OAuth tokens, including read/write access to private repositories, simply by tricking…
  • 1 — Gbhackers · 2026-06-03
    A newly disclosed vulnerability in GitHub’s browser-based editor, GitHub.dev, allows attackers to steal powerful OAuth tokens with just a single click, giving them read and write access to private rep…
  • VS Code zero — Bleepingcomputer · 2026-06-03
    A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a…
  • Github Dev Token Steal Poc — github.com · 2026-06-03

Timeline

  • 2026-06-02 — Vulnerability publicly disclosed: Security researcher Ammar Askar disclosed a zero-day vulnerability in VS Code that allows GitHub token theft via malicious links.
  • 2026-06-02 — Notification to GitHub: Askar notified GitHub about the vulnerability one hour before public disclosure to ensure awareness.
  • 2026-06-03 — User mitigation advice issued: Users are advised to clear cookies and local site data for github.dev to protect against exploitation.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • github.dev (Domain)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • GitHub (Platform)
  • Visual Studio Code (Platform)
  • Windows (Platform)
  • 1-Click GitHub Token Vulnerability (Vulnerability)
  • BlueHammer (Vulnerability)
  • GreenPlasma (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • UnDefend (Vulnerability)
  • YellowKey (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed