VYPR
researchPublished Jun 3, 2026· Updated Jun 4, 2026· 4 sources

One-Click GitHub Token Vulnerability Exposes Private Repositories

A critical vulnerability in Visual Studio Code's webview implementation allows attackers to steal GitHub OAuth tokens via a single malicious link, granting access to private repositories.

A critical security flaw discovered in Visual Studio Code's webview implementation poses a significant risk to GitHub users, potentially allowing attackers to steal OAuth tokens with read/write access to private repositories through a single malicious link. The vulnerability, publicly disclosed by security researcher Ammar Askar, impacts the browser-based GitHub.dev environment and the desktop version of VSCode.

The core of the issue lies in how VSCode handles keyboard events within its webview components, which are used to render potentially untrusted content like Markdown previews and Jupyter notebooks. While VSCode employs a security model to isolate these webviews, it uses the Window.postMessage() API to facilitate communication between the webview and the main editor. To enhance user experience, VSCode forwards all keyboard events from within the webview to the main editor. This mechanism, intended for seamless shortcut functionality, can be exploited by malicious JavaScript running within a webview to simulate user input.

Attackers can leverage this by crafting malicious Jupyter notebooks (.ipynb files) or by manipulating the .vscode/extensions.json file within a repository. In the case of Jupyter notebooks, an HTML image tag with an onerror handler can execute arbitrary JavaScript. For the .vscode/extensions.json file, the payload waits for a VSCode recommendation notification and then dispatches a synthetic keydown event to trigger the "Notifications: Accept Notification Primary Action" command. This allows for the silent installation of a malicious extension.

Once a malicious extension is installed, it can bypass the usual publisher trust dialogs, especially in the inherently trusted github.dev environment. The extension then gains access to the pre-loaded, unscoped GitHub OAuth token. This token can be used to enumerate all accessible private repositories via the GitHub API, effectively exfiltrating both the token and a list of sensitive repositories.

The exploit chain is remarkably efficient, with the full JavaScript payload executing in under a minute and requiring only an initial click on a malicious link. While the desktop version of VSCode requires the victim to clone and open an attacker-controlled repository, the github.dev environment is more susceptible due to its browser-based nature and the lack of CSRF tokens, making any link a potential vector.

The implications are severe: attackers could gain unfettered read, modify, or push access to every private repository a victim has access to without their knowledge. The stolen OAuth token is not limited to a single repository, amplifying the potential damage.

Mitigation advice includes clearing site data for github.dev in the browser to re-enable consent dialogs, avoiding unknown github.dev links, and auditing installed extensions. While VSCode's defense-in-depth measures, such as strict Content Security Policies, limited the full potential of the exploit, the vulnerability remains a critical threat until officially patched by Microsoft and GitHub.

This incident highlights the ongoing challenges in securing complex development environments and the critical need for robust security models in integrated development tools, especially those that operate in cloud-based or browser-hosted contexts.

The researcher who discovered this zero-day vulnerability in Visual Studio Code has detailed their decision to publicly disclose the flaw immediately due to a negative prior experience with Microsoft's security response process, where a previous VS Code bug was fixed silently without acknowledgment. This disclosure strategy aims to ensure credit and transparency, contrasting with the typical coordinated disclosure timelines.

This new report provides a deeper technical dive into the exploit mechanism, detailing how attackers can leverage malicious JavaScript within VS Code webviews to simulate keypresses, open the Command Palette, and install extensions that bypass trusted publisher checks. It also clarifies that the vulnerability specifically affects the GitHub.dev feature and not the VS Code desktop application.

This new report details that the vulnerability was disclosed by a researcher who bypassed standard responsible disclosure practices by releasing full details and a proof-of-concept exploit without prior notification to Microsoft. This aggressive disclosure tactic amplifies the immediate risk to users, as attackers can leverage the provided exploit code to target Visual Studio Code installations.

Synthesized by Vypr AI