Microsoft Patches GitHub VSCode Flaw Exposing OAuth Tokens Across All Repos
Updated
Updated · InfoWorld · Jun 4
Microsoft Patches GitHub VSCode Flaw Exposing OAuth Tokens Across All Repos
3 articles · Updated · InfoWorld · Jun 4
Summary
GitHub’s browser-based VSCode editor could let attackers steal a developer OAuth token and use it to read or modify any repository that account could access, according to researcher Ammar Askar.
The flaw stemmed from github.com passing an unscoped token to github.dev; Askar’s proof of concept used a Jupyter notebook to install a malicious extension that bypassed a publisher trust check and exfiltrated the token.
Microsoft applied what Askar called a stopgap fix, adding a confirmation prompt before notebooks open in web VSCode and blocking commands from skipping the trusted-publisher requirement.
Askar gave GitHub just 1 hour of notice before publication, saying a previous VSCode bug was fixed without credit, reviving debate over how long researchers should wait before disclosing serious flaws.
The episode highlights broader DevOps security concerns around developer endpoints, with security experts urging stricter zero-trust controls and warning that poor vendor handling of reports can push researchers toward public disclosure.
Beyond this GitHub fix, is the trusted extension model for developer tools fundamentally broken?
With dev tools in the cloud, is the biggest threat to your code already inside your browser?
Is a one-hour vulnerability notice an ethical power play or a reckless public endangerment?
GitHub.dev OAuth Token Breach: Anatomy of the June 2026 VS Code Web Vulnerability and Supply Chain Impact
Overview
A newly disclosed critical vulnerability affects GitHub.dev and the web-based Visual Studio Code environment, exposing users to immediate security risks. This flaw stems from how VSCode webviews handle keyboard events and message passing, allowing attackers to exploit architectural weaknesses in browser-based IDEs. By leveraging a malicious repository, attackers can execute unauthorized actions within the editor, leading to the theft of GitHub tokens. These tokens provide access to user accounts and repositories, putting projects and organizations at risk of compromise. As of June 3, 2026, no official patch exists, making vigilance and caution essential for all users.