VSCode Bug Lets Attackers Steal GitHub Tokens via One Click
A vulnerability in VSCode's webview security model allows an attacker to steal full-access GitHub OAuth tokens by getting a victim to click a link. The bug exploits keydown event forwarding to install malicious extensions, bypassing trust checks. Proof-of-concept code is already public.
1 min readJun 3, 2026
One Click, Token Gone
Clicking a link on GitHub can now hand over your GitHub OAuth token—with full read/write access to all your repos, including private ones. Security researcher Ammar Askar discovered a bug in VSCode's webview security model that allows arbitrary keyboard event injection, enabling an attacker to install a malicious extension and exfiltrate the token.
The attack targets github.dev, the browser-based VSCode that runs on any GitHub repo. When you open a repo on github.dev, GitHub POSTs an OAuth token to the editor, giving it full API access. The token is not scoped to just that repo—it's your global token.
The Webview Sandbox Hole
VSCode uses webviews (isolated `
Editor's Take
I've been using VSCode daily for years and never questioned the webview security model. This bug is a great example of how convenience features (keyboard shortcut forwarding) can be weaponized. I'm impressed by the researcher's patience in chaining four separate features into a working exploit. The fact that the token is not repo-scoped is a design flaw that GitHub should address, even if it means some features break. I'm updating VSCode right after I finish this article.
— DevDigest Editorial
Key Takeaways
•Update VSCode to version 1.98 or later to get the fix that strips modifier keys from programmatic keyboard events in webviews.
•Be cautious when clicking links to github.dev from untrusted sources, as the token passed to the editor has full access to your repos.
•Consider using a separate, scoped GitHub token for development to limit blast radius if such an attack occurs.
Why It Matters
This vulnerability demonstrates a practical one-click exploit against a widely used development tool. Any developer who clicks a link to a GitHub repo could lose their GitHub token, granting an attacker full access to all their repositories. The attack chain is clever and hard to spot, making it a critical security update for all VSCode users.
TP-Link Kasa EC71 Leaks Home GPS via Unauthenticated UDP for 6 Years
A security analysis of the Kasa Spot EC71 reveals three critical vulnerabilities, including hardcoded fleet-wide RSA private keys, unsalted MD5 password storage, and unauthenticated GPS exposure via UDP port 9999. The GPS leak has been publicly known since 2016 but only patched in firmware 2.4.1 after coordinated disclosure. An attacker can extract precise GPS coordinates, device identifiers, and credentials from any EC71 on the local network without authentication.