blog.ammaraskar.com via Reddit

VSCode Bug Lets Malicious Repos Steal GitHub Tokens

cybersecurity coding tools ai-security developer-tools

Key insights

  • The attack chains synthetic keyboard events from a VSCode webview sandbox to the main window, bypassing iframe security isolation.
  • Stolen GitHub tokens grant full read/write access across all the victim's repositories, not just the one they visited.
  • Askar chose full public disclosure over MSRC, citing a prior incident where Microsoft silently patched his VSCode bug without credit.

Why this matters

GitHub tokens obtained through this attack carry full read/write access to every repository the victim can reach, meaning one malicious link could expose an entire organization's private codebase. The attack works on github.dev by default with no security dialog, requiring only that a victim click a crafted repository link, making it directly exploitable for developer supply-chain attacks. With no CVE assigned and MSRC bypassed entirely, the standard vendor-disclosure pipeline provides no protection, leaving github.dev users exposed until GitHub or Microsoft ships a fix.

Summary

A VSCode webview flaw lets a malicious repo steal a visitor's GitHub token in one click, researcher Ammar Askar disclosed June 2, 2026. The attack dispatches synthetic keyboard events from a sandboxed webview into VSCode's main window, chaining shortcuts like Ctrl+Shift+A and Ctrl+F1 to silently install a malicious extension via a crafted Jupyter notebook and workspace extension. Essentially: (GitHub, Microsoft) let local workspace extensions install without publisher verification on github.dev. - Stolen tokens grant full read/write access to all repos the victim can reach, not just the one visited. - Both github.dev and VSCode desktop are vulnerable. - No CVE; Askar bypassed MSRC after they silently fixed his prior bug without credit. No patch exists as of June 2, 2026.

Potential risks and opportunities

Risks

  • Developers using github.dev with private organizational repos face full token exfiltration via a single shared malicious link, with no patch available as of June 2, 2026.
  • VSCode desktop users who clone and open a crafted repo containing a malicious Jupyter notebook are also exposed, expanding the attack surface beyond github.dev.
  • Microsoft faces credibility pressure in the security research community after Askar documented MSRC silently patching his prior VSCode bug and Starlabs having a VSCode XSS bug marked ineligible and low severity.

Opportunities

  • GitHub can limit blast radius immediately by scoping github.dev session tokens to the specific repository being accessed rather than granting full account-wide read/write.
  • Microsoft VSCode team can close the attack surface by adding publisher verification requirements for local workspace extensions on github.dev.
  • Security teams at organizations using github.dev can mitigate now by following Askar's published workaround: clearing cookies and local storage to force re-authentication.

What we don't know yet

  • No CVE has been assigned and no patch timeline from GitHub or Microsoft has been stated as of the June 2, 2026 public disclosure.
  • Whether GitHub can narrow github.dev token scoping so credentials are repo-specific rather than granting account-wide read/write access.
  • Whether other VSCode extensions or notebook renderers share the same synthetic keyboard event propagation vulnerability Askar identified.

Originally reported by blog.ammaraskar.com

Read the original article →

Original headline: 1-Click GitHub Token Stealing via VSCode Webview Bug Disclosed — Malicious Repo Silently Installs Extension, Exfiltrates Full Repo Access