VSCode Bug Lets Attackers Steal GitHub Tokens via One Click

One Click, Token Gone

Clicking a link on GitHub can now hand over your GitHub OAuth token—with full read/write access to all your repos, including private ones. Security researcher Ammar Askar discovered a bug in VSCode's webview security model that allows arbitrary keyboard event injection, enabling an attacker to install a malicious extension and exfiltrate the token.

The attack targets github.dev, the browser-based VSCode that runs on any GitHub repo. When you open a repo on github.dev, GitHub POSTs an OAuth token to the editor, giving it full API access. The token is not scoped to just that repo—it's your global token.

The Webview Sandbox Hole

VSCode uses webviews (isolated `

VSCode Bug Lets Attackers Steal GitHub Tokens via One Click

One Click, Token Gone

The Webview Sandbox Hole

Editor's Take

Key Takeaways

Why It Matters

Get the weekly digest

You might also like

FROST Attack: Websites Spy via SSD Timing Side Channel

Math.random() API Key Generation Found in 44K-Star Repo — Here's the Fix

Fake Job Assessment Repo Hid Malware in SVG Comments

GitGuardian Finds 44 Active Kubernetes Clusters Exposed via Public Leaks