A zero-day vulnerability in Visual Studio Code lets attackers steal a developer's GitHub OAuth token with a single click - granting full access to every private repository that account can reach. Security researcher Ammar Askar published the exploit on June 3, 2026, and released proof-of-concept code without going through Microsoft's official security process. As of this writing, no patch exists and no CVE has been assigned.
How the One-Click Exploit Works
The attack begins when a victim clicks a specially crafted link pointing to github.dev, the browser-based version of VS Code that Microsoft hosts in the cloud. Once the page loads, malicious JavaScript embedded in the link runs inside a VS Code Webview - a sandboxed iframe-like component that VS Code uses to render extension UI and web content.
From inside that Webview, the malicious script exploits a flaw in VS Code's Window.postMessage() API to simulate keypresses in the main editor. Those simulated keystrokes are used to silently install a rogue VS Code extension. The extension then harvests the GitHub OAuth token that github.dev received during login and sends it to the attacker. With that token, the attacker can query the GitHub API and access every repository the victim's account can reach - not just the one they were browsing.
The entire chain - click, Webview execution, extension install, token extraction - takes seconds and requires no additional interaction from the victim.
Why VS Code's Webview Security Model Fails Here
VS Code sandboxes Webview content to prevent untrusted extensions from directly touching the main editor environment. In theory, the isolation means a malicious Webview can only communicate with the outside world through carefully defined message-passing channels.
In practice, the Window.postMessage() bridge that forwards keyboard events between a Webview and the main editor doesn't properly validate the origin or intent of those messages. Askar's exploit feeds the bridge a stream of fake key events that spell out terminal commands to install an extension - and VS Code obediently executes them.
The vulnerability sits at the intersection of two design choices: the convenience feature of keyboard event forwarding, and the trust VS Code places in messages arriving through that channel. Disabling Webviews entirely would break a large portion of the extension ecosystem, so there is no simple configuration workaround.
What Data Is Actually at Risk
A stolen GitHub OAuth token is far more valuable than a single repository password. OAuth tokens scope access at the account level, meaning the attacker inherits every permission the victim's account holds: reading and cloning private code, pushing malicious commits, modifying CI/CD pipeline configurations, accessing secrets stored in repository settings, and enumerating every private project the developer contributes to - including those belonging to their employer or clients.
For developers working on proprietary software, internal tools, or security-sensitive infrastructure, a single token theft can translate into a full source code leak, a supply chain attack, or persistent backdoor access to production systems. The attack is silent: the victim sees nothing unusual during or after the exploit.
Why the Researcher Skipped Microsoft's Bug Bounty Process
Askar chose full public disclosure specifically because of a prior incident with Microsoft's Security Response Center (MSRC). According to his blog post, he had previously reported a separate VS Code vulnerability through proper channels. Microsoft quietly fixed the bug in a later update without crediting Askar, without publishing a security advisory, and without acknowledging the security impact of the flaw. He considered that outcome a breach of the implicit contract between researchers and vendors.
This time, Askar gave GitHub security exactly one hour's notice before posting publicly. He did not file with MSRC at all. He also released working proof-of-concept exploit code alongside the writeup, ensuring the technical details were immediately available to both defenders and the broader security community.
Microsoft responded with a statement saying the company "remains committed to rapidly assessing reported issues" and delivering "mitigations, guidance, and protections as quickly as possible." The company did not acknowledge the specific complaint about the earlier undisclosed fix, nor provide a timeline for patching the current vulnerability.
How Developers Can Reduce Their Exposure
Until Microsoft ships a patch, the most effective immediate step is to clear cookies and local site data for github.dev in your browser. This forces a fresh authentication prompt the next time you visit the site, which triggers a visual warning if any exploit attempt is already in progress. Treat any unexpected VS Code extension installation prompt - especially one you did not initiate - as a red flag and abort immediately.
More broadly, this incident is a reminder that development environments handle highly sensitive credentials and that the attack surface is larger than most developers assume. Clicking links in code review comments, chat messages, or emails that lead to github.dev or other cloud IDE environments is now a meaningful risk vector. Using a VPN on public or untrusted networks reduces exposure to traffic interception that could augment this class of attack - for example, intercepting the token in transit or delivering the malicious link through a manipulated DNS response.
Developers who work with sensitive repositories should also audit their GitHub token scopes and consider rotating active OAuth tokens as a precautionary measure, even before a patch lands. Least-privilege token policies - limiting what any individual token can access - reduce the blast radius if a token is compromised.
