TL;DR
- Exploit Release: Security researcher Ammar Askar has released code for a VS Code flaw that can steal GitHub tokens.
- Token Scope: The reported attack can reach private repositories because github.dev receives a broad OAuth token.
- Mitigation Path: Users can reduce risk by clearing github.dev site data and treating unexpected repository links as credential-risk events.
- Patch Status: The flaw had no CVE ID or completed patch at publication time.
Security researcher Ammar Askar released exploit code on June 2 for a Visual Studio Code flaw that can steal GitHub tokens after a victim clicks one github.dev repository link.
For developers, the practical risk is the token’s reach. GitHub’s browser editor receives an OAuth token that lets the session act for the signed-in user, and the disclosed chain can reach repositories beyond the one that opened the editor.
How the github.dev Attack Chain Works
Askar’s disclosure describes a chain that can steal GitHub authentication tokens. One stolen token can reach every repository the user can access, including private repositories.
GitHub’s github.dev browser editor lets signed-in users browse repositories, edit files, commit changes, and open a repository by changing github.com to github.dev. GitHub.com then sends an OAuth token to github.dev so the editor can interact with GitHub for the user.
An OAuth token works like a delegated credential: software can use it to act on the user’s behalf without asking for the password again. Here, the danger comes from a token broad enough to reach repositories beyond the one that launched the editor.
VS Code webviews render HTML inside the editor for extensions. A malicious webview can synthesize keyboard events, open the command palette, and drive commands that install attacker-controlled extension code.
Attackers then use local workspace extensions under .vscode/extensions to skip the trusted-publisher check that normally appears for a new extension publisher. From there, the exploit extension can grab the GitHub API token and run a GitHub API repository query to list private repositories available to the compromised account.
A proof-of-concept repository links the demonstration code back to Askar’s token-stealing disclosure. Askar framed the token scope as the core danger for repository owners.
“The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to.”
Ammar Askar, security researcher (via Ammar’s Blog)
Microsoft’s VS Code issue #319593 tracks arbitrary webview shortcuts in the main workbench. Webviews can trigger arbitrary keyboard shortcuts in that workbench, which is the security problem behind the known chain.
Microsoft partner software engineering manager Alexandru Dima kept VS Code Desktop outside the affected path and wrote: “To clarify, this issue does not affect VS Code Desktop.” That clarification ties the known one-click path to github.dev and VS Code webview behavior rather than a broad GitHub account compromise.
Temporary Mitigation and Recent Extension Risks
Askar strongly recommends that users clear site data for github.dev. Clearing that data can return users to one dialog to click through when landing on the website.
Askar also says the webview issue exists in VS Code Desktop but is harder to exploit. An attacker would need to convince a victim to clone a repository and open the notebook with the webview script payload.
Browser-based github.dev remains the immediate focus while developers wait for completed remediation, patch details, or a CVE identifier. Teams using github.dev should treat unexpected repository links as credential-risk events and review sessions for unusual repository enumeration.
An earlier case showed how AI coding agents can be tricked into stealing GitHub credentials when coding tools act on behalf of users.
Other developer-tool incidents explain why extension trust boundaries matter. In May, a poisoned VS Code extension exposed internal repositories at GitHub.
In March, developer-tool supply-chain malware spread across GitHub, npm, and the VS Code extension marketplace. In February, malicious VS Code extensions were linked to code, API key, and proprietary algorithm theft from 1.5 million developers.
Although the github.dev flaw is separate from those incidents, the shared risk is practical. Tools built to move code quickly also carry credentials, repository access, and extension permissions. A malicious link that loads attacker-controlled extension code can become repository exposure when the browser session token reaches private code.
What Developers Should Watch Next
Issue #319593 identifies arbitrary keyboard shortcuts in the main workbench as the security problem. Until a github.dev remediation is available, teams should treat unexpected repository links as credential-risk events and review sessions for unusual repository enumeration.
