Zero-Day Vulnerability in VS Code Allows GitHub Token Theft via Malicious Links

A newly disclosed zero-day vulnerability in Visual Studio Code (VS Code) enables attackers to steal GitHub OAuth tokens by tricking users into clicking a malicious link. The flaw exploits the webview message-passing system in VS Code, allowing malicious extensions to be installed that can extract tokens with full access to private repositories. Security researcher Ammar Askar publicly disclosed this vulnerability on June 2, 2026, after notifying GitHub just an hour prior. Microsoft has not yet issued a patch or assigned a CVE ID for this issue. Users are advised to clear cookies and site data for github.dev to mitigate the risk. Askar's decision for immediate public disclosure stems from past negative experiences with Microsoft's security response process. This vulnerability is part of a concerning trend of zero-days affecting Microsoft products.

Key Points: • A zero-day vulnerability in VS Code allows OAuth token theft from GitHub. • Attackers can exploit this flaw by tricking users into clicking malicious links. • No patch is currently available, and users are advised to clear site data for protection.