Researcher Publishes VS Code Zero‑Day Exploit Allowing GitHub Token Theft via github.dev
What Happened — A security researcher disclosed a critical zero‑day in Visual Studio Code’s browser‑based editor (github.dev) that lets an attacker steal a GitHub OAuth token and gain read/write access to all repositories the victim can reach. The exploit can be triggered simply by clicking a crafted link or modifying a repository’s .vscode/extensions.json file.
Why It Matters for TPRM —
- The flaw bypasses VS Code’s extension‑approval UI, enabling silent installation of malicious extensions.
- Compromise of a single developer’s token can expose private code, intellectual property, and supply‑chain assets across multiple organizations.
- The rapid public release highlights the risk of insufficient coordinated‑disclosure processes for high‑impact vulnerabilities.
Who Is Affected — SaaS development platforms, cloud‑hosted IDEs, enterprises that rely on GitHub for source control, and any third‑party services that integrate with GitHub OAuth tokens.
Recommended Actions —
- Review contracts with Microsoft and GitHub for security‑incident response clauses.
- Verify that OAuth tokens are scoped to the minimum required repository.
- Enforce strict extension‑approval policies and monitor for unauthorized extensions in VS Code instances.
- Apply any patches or mitigations released by Microsoft/GitHub immediately.
Technical Notes — The vulnerability resides in the token‑hand‑off between github.com and github.dev. The OAuth token is not scoped to the specific repository, granting full access to all repos the user can reach. An attacker can inject a malicious extension via a crafted extensions.json or embed HTML in a Jupyter Notebook to auto‑approve the extension install, then exfiltrate the token. No CVE was assigned at time of writing. Source: Security Affairs