VS Code Webview Flaw Enabled One-Click Theft of GitHub OAuth Tokens
Security researcher Ammar Askar disclosed a zero-day in Visual Studio Code’s webview message-handling that allowed attackers to steal GitHub OAuth tokens from github.dev with a single malicious link. The attack abused forwarded keyboard events and simulated keypresses to cross the webview security boundary, silently install a malicious extension, and extract the token that GitHub passes to the browser-based editor. Multiple reports said the token was broadly scoped rather than limited to the repository being viewed, giving access to all repositories the victim could reach, including private repositories with read/write permissions.
The exploit chain was also reported to affect desktop VS Code in some scenarios involving attacker-controlled repositories and malicious workspace content, though Microsoft said the issue did not affect VS Code Desktop and later indicated the problem had been fixed in its services. Public reporting tied the disclosure to a dispute over Microsoft’s vulnerability-handling process, with Askar saying he notified GitHub shortly before release and published proof-of-concept code without coordinated disclosure. Recommended precautions included avoiding untrusted github.dev links, clearing saved site data for github.dev, and reviewing installed extensions for suspicious additions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft says the issue was already fixed in its services
A later report says Microsoft told BleepingComputer that the vulnerability had already been fixed in its services and that customers did not need to take action. This marks the first explicit claim in the references that remediation had already been completed.
Microsoft says it is working on a fix
Following disclosure, Microsoft acknowledged the issue and said it was working on a fix. This acknowledgment was reported after GitHub had been notified and the exploit details were public.
Microsoft opens VS Code issue #319593 on webview keyboard shortcut abuse
A GitHub issue was published in the microsoft/vscode repository documenting that webviews can trigger arbitrary keyboard shortcuts in the main workbench via forwarded keydown events. The issue describes the security implications of synthetic keyboard events crossing the webview boundary.
GitHub is notified about the vulnerability shortly before disclosure
Reports say Askar notified GitHub about the issue roughly one hour before making the vulnerability public. One source explicitly anchors the notification to June 2, 2026.
Ammar Askar publicly discloses VS Code/github.dev token-stealing zero-day
Security researcher Ammar Askar publicly disclosed a one-click vulnerability affecting github.dev and VS Code webviews that can lead to GitHub OAuth token theft, and published technical details and proof-of-concept exploit code. Multiple reports state this disclosure occurred on June 2, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
В VS Code нашли 0-day-уязвимость, позволявшую похищать токены GitHub - Хакер
xakep.ru
Open sourceResearcher Drops a New VS Code Zero-Day After Losing Trust in Microsoft's Disclosure Process
securityaffairs.com
Open sourceResearcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process | The Record from Recorded Future News
therecord.media
Open sourceOne-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens
thehackernews.com
Open sourceHole in GitHub’s browser-based VSCode editor could lead to stolen token | CSO Online
csoonline.com
Open sourceSecurity: Webviews can trigger arbitrary keyboard shortcuts in the main workbench · Issue #319593 · microsoft/vscode
github.com
Open source1-Click GitHub Token Stealing via a VSCode Bug : r/netsec
reddit.com
Open source1-Click GitHub Token Stealing via a VSCode Bug - Ammar's Blog
blog.ammaraskar.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake VS Code Security Alerts on GitHub Discussions Push Malware
A large-scale phishing campaign is abusing **GitHub Discussions** to post fake **Visual Studio Code** security alerts that pressure developers into downloading malware from external links. The posts impersonate legitimate advisories with fabricated `CVE` identifiers, fake affected version ranges, and urgent language, while newly created or low-activity accounts mass-tag developers across unrelated repositories to expand reach. Because GitHub Discussions can trigger email notifications to watchers and participants, the operation gains additional credibility and visibility beyond the platform itself. Analysis of the linked infrastructure showed a multi-stage redirection chain that used a Google `share.google` endpoint and the attacker-controlled domain `drnatashachinn[.]com`. The delivered JavaScript performed browser fingerprinting, cookie checks, obfuscation, and anti-analysis steps to distinguish real users from bots or security scanners before routing victims to later-stage malicious content, consistent with a traffic distribution system. Researchers said the campaign appears coordinated and automated, and urged developers to treat unsolicited GitHub security alerts with external download links as suspicious and verify VS Code updates only through official Microsoft channels.
Mar 27, 2026
Critical Vulnerabilities in Popular VS Code Extensions Enable Local File Theft and Code Execution
Security researchers at **OX Security** disclosed multiple vulnerabilities across widely used Microsoft Visual Studio Code extensions—**Live Server**, **Code Runner**, **Markdown Preview Enhanced**, and **Microsoft Live Preview**—with combined installs reported at **125–128 million**. The issues enable attacks ranging from **local file exfiltration** to **arbitrary code/JavaScript execution**, and highlight how a single vulnerable or malicious extension can be leveraged for broader compromise and potential lateral movement in developer environments. Reported flaws include **CVE-2025-65717** (Live Server; CVSS 9.1) enabling local file theft by luring a developer to a malicious site while the extension’s local server is running (e.g., `localhost:5500`), **CVE-2025-65716** (Markdown Preview Enhanced; CVSS 8.8) allowing arbitrary JavaScript execution via a crafted `.md` file with subsequent local port enumeration and exfiltration, and **CVE-2025-65715** (Code Runner; CVSS 7.8) enabling code execution by tricking users into modifying `settings.json`. Separate reporting on **Microsoft Live Preview** describes a **one-click reflected XSS** and unauthenticated request abuse against the extension’s local development server to enumerate and exfiltrate sensitive files (e.g., `.env`, API keys, source code); this Live Preview issue was reported as patched in version **0.4.16** via input sanitization (e.g., an `escapeHTML` function), while other extension issues were described as **unpatched** at the time of reporting.
Mar 21, 2026
Malicious Aqua Trivy VS Code Extension Published to OpenVSX After GitHub Token Compromise
Threat actors inserted unauthorized code into the *Aqua Trivy* VS Code extension distributed via the **OpenVSX** registry, with the tampered builds appearing as versions **1.8.12** and **1.8.13** under the `aquasecurityofficial.trivy-vulnerability-scanner` namespace. Reporting indicates the malicious code was not present in the public GitHub repository (versions up to **1.8.11** matched), and the injected logic was designed to weaponize locally installed AI coding assistants—invoking tools such as **Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI** with permissive options—to perform host reconnaissance and collect data while running detached in the background and suppressing output to avoid user visibility. Researchers tied the extension tampering to a broader automated campaign targeting **GitHub Actions** workflows, where insecure CI/CD configurations and overprivileged tokens can enable repository takeover and downstream supply-chain abuse. Socket.dev flagged the suspicious OpenVSX extension behavior, while StepSecurity documented that the wider bot-driven GitHub Actions activity led to theft of a **personal access token (PAT)** and subsequent takeover of Aqua’s Trivy GitHub repository—providing the access needed to publish the modified extension. Separate reporting on the **hackerbot-claw** campaign described autonomous exploitation of misconfigured `pull_request_target` workflows to achieve runner RCE and exfiltrate write-capable `GITHUB_TOKEN`s, reinforcing the same core risk: CI/CD token exposure and workflow misconfigurations can rapidly translate into codebase control and malicious artifact distribution.
Mar 20, 2026