- A critical vulnerability in Microsoft Visual Studio Code’s GitHub.dev web editor allows attackers to steal a user’s full-access GitHub token with a single click.
- The exploit uses malicious JavaScript to install an attacker-controlled extension, bypassing security checks to access and potentially write to all of a user’s repositories.
- Microsoft has acknowledged the flaw and is working on a fix, but the issue does not affect the VS Code Desktop application.
Cybersecurity researchers disclosed on June 3, 2026, a severe one-click attack vector in Microsoft Visual Studio Code’s GitHub.dev web editor. This vulnerability directly threatens the security of developers’ private code repositories.
“Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones,” security researcher Ammar Askar said. The token provides full access instead of being scoped to a single project.
The attack exploits a message-passing mechanism between the main editor and its webviews. Consequently, malicious JavaScript can simulate keypresses to open the Command Palette and install a rogue extension.
This extension then steals the GitHub OAuth token passed to the web-based editor. It can subsequently query the GitHub API to enumerate all accessible private repositories.
The exploit leverages a feature called local workspace extensions to bypass publisher trust checks. This allows installation directly from a workspace folder without security prompts.
Microsoft was notified of the vulnerability on June 2, 2026. Details were made public shortly thereafter, citing the company’s past handling of similar bugs.
“To clarify, this issue does not affect VS Code Desktop,” said Alexandru Dima, a partner software engineering manager at Microsoft. Meanwhile, the company has acknowledged the report and noted it is working on a fix.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
