← Back to SecLog

Public zero-day in VS Code and github.dev can steal GitHub tokens and expose private repositories

Updated: 2026.06.09 1D ago 6 sources
Zero-Days & CVEs Urgent Patches Supply Chain
A newly disclosed Visual Studio Code flaw can let attackers steal a victim’s GitHub sign-in token with a single click on a malicious link, potentially exposing all private repositories that account can access. Researcher Ammar Askar published proof-of-concept exploit code on June 3, 2026; no CVE has been assigned and no official patch is available. The bug abuses message passing between sandboxed webviews and the main editor in github.dev, allowing a malicious extension to be installed and extract a broad GitHub OAuth token.
Why it matters: Developers, maintainers, and employees who use github.dev or VS Code-linked GitHub workflows could have source code and other private repository data exposed before a fix is available. Until Microsoft and GitHub ship a patch, users should treat github.dev links cautiously and clear github.dev cookies/site data so unexpected extension sign-in prompts appear.

Sources

A Record-Breaking Patch Tuesday for June 2026
BrianKrebs 2026.06.09 53% relevant
Krebs notes Microsoft also patched a zero-day in Visual Studio Code that can steal GitHub tokens, which appears to be the same underlying VS Code/github.dev token-theft flaw tracked separately.
Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process
2026.06.04 95% relevant
This article is a direct update on that same VS Code/github.dev token-theft zero-day, adding that researcher Ammar Askar publicly released a working exploit, said he bypassed Microsoft’s reporting process, and that GitHub received about one hour’s notice before disclosure while Microsoft has not clarified crediting, CVE assignment, or exposure scope.
VS Code Vulnerability Allows One-Click GitHub Token Theft
Eduard Kovacs 2026.06.04 99% relevant
This article covers the same underlying event: Ammar Askar’s public disclosure of a one-click VS Code/github.dev zero-day that steals GitHub tokens via a malicious Jupyter notebook and extension install. It adds that Microsoft patched github.dev on June 3, notes the desktop VS Code path appears to remain unpatched, and reiterates the remote-code-execution risk on desktop.
Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures
2026.06.03 97% relevant
This article is a direct report on the same underlying event: Ammar Askar's public disclosure of a VS Code/github.dev flaw that abuses Workspace Recommendations and a Jupyter Notebook Webview trick to auto-install a malicious extension and steal GitHub OAuth tokens. It adds detail on the disclosure timeline, Askar's decision to publish within an hour of notifying a GitHub contact, and his stated dispute with MSRC over prior VS Code vulnerability handling.
One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens
info@thehackernews.com (The Hacker News) 2026.06.03 96% relevant
The article appears to cover the same underlying event: a one-click attack in GitHub Dev/github.dev related to VS Code that can steal full GitHub OAuth tokens and expose private repositories.
VS Code zero-day lets hackers steal GitHub tokens in one click
Sergiu Gatlan 2026.06.03 100% relevant
This article appears to be the first major report establishing a distinct public zero-day affecting VS Code/github.dev, with exploit code and immediate defender action needed.
← Back to all stories