BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

GitHub Token Theft Via VSCode Web Vulnerability

One-click exploit steals GitHub token via VS Code web editor vulnerability.

  • A critical vulnerability in Microsoft Visual Studio Code’s GitHub.dev web editor allows attackers to steal a user’s full-access GitHub token with a single click.
  • The exploit uses malicious JavaScript to install an attacker-controlled extension, bypassing security checks to access and potentially write to all of a user’s repositories.
  • Microsoft has acknowledged the flaw and is working on a fix, but the issue does not affect the VS Code Desktop application.

Cybersecurity researchers disclosed on June 3, 2026, a severe one-click attack vector in Microsoft Visual Studio Code’s GitHub.dev web editor. This vulnerability directly threatens the security of developers’ private code repositories.

- Advertisement -

“Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones,” security researcher Ammar Askar said. The token provides full access instead of being scoped to a single project.

The attack exploits a message-passing mechanism between the main editor and its webviews. Consequently, malicious JavaScript can simulate keypresses to open the Command Palette and install a rogue extension.

This extension then steals the GitHub OAuth token passed to the web-based editor. It can subsequently query the GitHub API to enumerate all accessible private repositories.

The exploit leverages a feature called local workspace extensions to bypass publisher trust checks. This allows installation directly from a workspace folder without security prompts.

- Advertisement -

Microsoft was notified of the vulnerability on June 2, 2026. Details were made public shortly thereafter, citing the company’s past handling of similar bugs.

“To clarify, this issue does not affect VS Code Desktop,” said Alexandru Dima, a partner software engineering manager at Microsoft. Meanwhile, the company has acknowledged the report and noted it is working on a fix.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

OpenAI Questions Merit of Apple’s Trade Secrets Suit

Apple accused OpenAI of targeting current and former employees to obtain confidential documents, designs,...

Senate to vote on crypto bill amid ethics corruption debate

The US Senate is expected to vote before August 10 on the CLARITY Act,...

IBM shares plummet 25% after earnings miss, worst drop in decades

IBM shares plunged up to 25% on Tuesday after missing Q2 earnings expectations, marking...

DeepMind CEO: AGI just years away, demands new US safety tests

Google DeepMind CEO Demis Hassabis predicts AGI will arrive within a few years, comparing...

Warsh: No Stablecoin Bailout, GENIUS Act Deadline Near

Federal Reserve Chair Kevin Warsh told lawmakers the central bank will not bail out...

Must Read

How to Choose a Cryptocurrency Exchange: Major Risks and Expert Advice

During the bitcoin frenzy, in late 2017, Coinbase, one of the key players in the global cryptocurrency market, stopped trading operations. At a point...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading