Skip to main content
Emerging ThreatsMalware & Ransomware

GitHub Dev Attack Exploits OAuth Tokens

Developer scrutinizes code with concern in a well-lit lab setting.

"Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," security researcher Ammar Askar said.

How a single click turns a web editor into an exfiltration channel

Researchers disclosed a one-click attack that exploits the web-based Visual Studio Code environment launched by GitHub.dev to steal full GitHub OAuth tokens. GitHub.dev runs as a lightweight source code editor in the browser's sandbox and is designed to let users make commits and send pull requests from within that web environment. The vulnerability leverages a chain of legitimate features — message passing between the main editor window and untrusted webviews, simulated key events, and extension installation mechanisms — to install a malicious extension and extract OAuth tokens sent to github.dev.

How GitHub.dev's token flow is abused

Ammar Askar explained the critical point of abuse: "This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf." The token the browser receives when a user opens a repository in github.dev is not scoped to a single repository; Askar notes it "has full access to every other repo that you have access to." That broad scope means a stolen token can be used to read and write across all repositories accessible to the victim, including private repositories.

Which VS Code features enable the exploit

The exploit places malicious JavaScript inside an untrusted webview — components used for Markdown previews or Jupyter notebooks — and uses that script to simulate keypresses (keydown events) in the main editor window. The script triggers the Command Palette via "Ctrl+Shift+P," then drives the editor to install an attacker-controlled extension. Once installed, the extension extracts the OAuth token passed to github.dev and uses the GitHub API to enumerate all private repositories the victim can access.

The attack further abuses a VS Code feature called local workspace extensions. If an extension is placed in a workspace's ".vscode/extensions" folder, it can be installed without showing any additional trust dialog; that effectively bypasses the trusted publisher check. Askar added that extensions can contribute extra keybindings in their package.json, and because keybindings can be reliably triggered by the webview, an attacker "can just add a keybind for whatever VS Code command we want, such as installing an extension while skipping the trusted publisher check."

Microsoft's acknowledgement and scope limits

Microsoft has acknowledged the vulnerability and said it is working on a fix. The company also clarified the affected surface: "To clarify, this issue does not affect VS Code Desktop," Alexandru Dima, a partner software engineering manager at Microsoft, said. The researcher noted that GitHub was notified of the vulnerability on June 2, 2026, and that details were made public about an hour after that notification, citing Microsoft's handling of VS Code–related bugs in the past.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: The attack shows how browser-hosted editors and webview components can be used as a vector to escalate privileges and exfiltrate high-value tokens; defenders will need to treat OAuth tokens issued to web editors as sensitive credentials and review extension-installation controls and webview isolation.
  • Enterprises and repository owners: Because the token is not scoped to a single repository and can enumerate private repositories via the GitHub API, organizations should be aware that a compromised user token could expose multiple codebases at once.
  • End users and developers: A single click inside GitHub.dev can be sufficient to trigger the chain described by the researcher; users should follow any guidance from Microsoft and GitHub while a fix is developed and be cautious with untrusted content in webviews until the issue is resolved.

The incident illustrates a narrow but potent attack path: a browser-hosted editor, a message-passing flaw in webviews, simulated key events and legitimate extension mechanisms combine to turn a benign developer workflow into a channel for token theft. Microsoft says it is working on a fix; researchers disclosed the issue on June 2, 2026, shortly after notifying GitHub. For now, the vulnerability underlines how features designed for convenience — web-based editing, workspace-scoped extensions, and programmable keybindings — can be chained to bypass user trust and extract broad access tokens.

Original story