{"id":225427,"date":"2026-06-03T08:58:00","date_gmt":"2026-06-03T12:58:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/03\/one-click-github-dev-attack-lets-attackers-steal-full-github-oauth-tokens\/"},"modified":"2026-06-03T14:45:32","modified_gmt":"2026-06-03T18:45:32","slug":"one-click-github-dev-attack-lets-attackers-steal-full-github-oauth-tokens","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/03\/one-click-github-dev-attack-lets-attackers-steal-full-github-oauth-tokens\/","title":{"rendered":"One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/one-click-github-dev-attack-lets.html\">One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/one-click-github-dev-attack-lets.html\">https:\/\/thehackernews.com\/2026\/06\/one-click-github-dev-attack-lets.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-03 08:58:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Jun 03, 2026Vulnerability \/ Software Development<br \/>\nCybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user&#8217;s GitHub token.<\/p>\n<p>&#8220;Just by clicking a link, it&#8217;s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones,&#8221; security researcher Ammar Askar said.<\/p>\n<p>GitHub supports a feature called GitHub.dev that runs as a lightweight web-based source code editor in the web browser&#8217;s sandbox by launching a VS Code environment. It allows users to send pull requests and make commits.<\/p>\n<p>&#8220;This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf,&#8221; Askar said. &#8220;The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to.&#8221;<\/p>\n<p>In a nutshell, the vulnerability allows attackers to install malicious VS Code extensions that steal GitHub OAuth tokens when they are passed to GitHub.dev by exploiting a message-passing mechanism between the main VS Code window and webviews. Webviews are used to render Markdown previews or edit Jupyter notebooks.<\/p>\n<p>Specifically, the exploit runs malicious JavaScript inside an untrusted webview to simulate keypresses (aka keydown events) in the main editor window, open the Command Palette by triggering &#8220;Ctrl+Shift+P,&#8221; and install an attacker-controlled extension that extracts the GitHub OAuth token sent to GitHub.dev and queries the GitHub API to enumerate all private repositories the victim can access.<\/p>\n<p>It&#8217;s worth noting the approach also leverages a VS Code feature called local workspace extensions that allows an extension to be directly installed without presenting any additional trust dialog prompt as long as it&#8217;s placed in the &#8220;.vscode\/extensions&#8221; folder within that workspace, effectively bypassing the publisher trust check.<\/p>\n<p>&#8220;This is just a small hiccup though, one of the things that extensions can do as part of their package.json is to contribute extra keybindings to VS Code,&#8221; the researcher explained. &#8220;Since we can reliably trigger keybindings, we can just add a keybind for whatever VS Code command we want, such as installing an extension while skipping the trusted publisher check.&#8221;<\/p>\n<p>The researcher also noted GitHub was notified of the vulnerability on June 2, 2026, an hour after which details of the issue were made public knowledge, citing Microsoft&#8217;s handling of VS Code-related bugs in the past. As of writing, Microsoft has acknowledged the vulnerability and noted that it&#8217;s working on a fix.<\/p>\n<p>&#8220;To clarify, this issue does not affect VS Code Desktop,&#8221; Alexandru Dima, a partner software engineering manager at Microsoft, said.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens https:\/\/thehackernews.com\/2026\/06\/one-click-github-dev-attack-lets.html Publish Date: 2026-06-03&#8230;<\/p>\n","protected":false},"author":1,"featured_media":225428,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgeHvqmNHvAhdxgoBLbfFWsFBMdvH5SbJovunxx8AYHRkq7HOQ2l6I_ZaJGi_PF5WHKOlHEQHK4HyPBhmzOpYNhPS4HJSna2uLVlEwUV9i2j5YuRqGOLUqgKIrhx2ndFm1OSME7usiLk_ohtIBYyR5Xpq5Pzc2eHAjCK0OA_89JwPNxVrrBVDbTDRVbRG6e\/s1600\/github.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-225427","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225427"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=225427"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225427\/revisions"}],"predecessor-version":[{"id":225429,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225427\/revisions\/225429"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/225428"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=225427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=225427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=225427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}