GitHub.dev: one click can steal a full OAuth token

Colleagues, a cybersecurity alert: a vulnerability in GitHub.dev allows a full OAuth token to be stolen with a single click.
Researcher Ammar Askar demonstrated how a malicious webview in the browser-based VS Code simulates clicks, opens the Command Palette and installs a local extension that extracts the token supplied to github.dev. The token isn’t repository-scoped and grants access to all repositories, including private ones.
GitHub was notified on June 2; Microsoft confirmed the issue. VS Code Desktop is not affected.
Why this matters: compromised tokens provide access to code and CI — posing supply-chain attack risks. I recommend updating your environment, removing suspicious extensions and rotating tokens.
How will you respond to this threat?
#cybersecurity #GitHub #VSCode #OAuth


Latest comments
No comments yet.