A one-click attack in Microsoft Visual Studio Code and GitHub.dev can let an attacker steal a victim’s GitHub OAuth token after they click a crafted link. The token can then be used to access private repositories, and Microsoft has acknowledged the issue and is working on a fix. #VSCode #GitHub.dev #GitHubOAuthToken
Keypoints
- A click on a malicious link can expose a GitHub token.
- The attack abuses GitHub.dev and VS Code webviews.
- Malicious JavaScript can trigger keypresses and open the Command Palette.
- An attacker-controlled extension can steal the OAuth token and enumerate private repos.
- Local workspace extensions can bypass the trusted publisher check.
Read More: https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html