Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: oauth-token-theft (1 article)Clear

VS Code zero-day lets one click steal full-scope GitHub OAuth token via github.dev webview - PoC public, no patch yet

Security researcher Ammar Askar has released exploit code for an unpatched VS Code zero-day that lets attackers steal GitHub OAuth tokens with a single click. The flaw abuses VS Code's sandboxed webview message-passing system: malicious JavaScript in a webview simulates keypresses in the main editor to install a malicious extension that captures the GitHub OAuth token github.com POSTs to github.dev. The token is not scoped to a single repo - it grants full access to every private repository the victim can reach. No CVE has been assigned and there is no patch. Users can mitigate by clearing github.dev cookies and on-device site data, which restores the sign-in prompt.

Check
Inventory developer machines using VS Code and github.dev. Warn developers not to click untrusted links that open github.dev. Audit installed VS Code extensions for unfamiliar additions.
Affected
VS Code users who authenticate to github.dev. The leaked GitHub OAuth token is unscoped, granting full access to every private repository the victim can reach. No patch or CVE yet.
Fix
Until patched: clear github.dev cookies and on-device site data so the sign-in prompt reappears. Treat unsolicited github.dev links as hostile. Rotate GitHub tokens if exposure is suspected.