VS Code Configs Expose GitHub Codespaces to Attacks

Orca Security warns that GitHub Codespaces automatically executes VS Code–integrated configuration files when opening repositories or pull requests, creating a supply chain attack vector. Attackers can abuse .vscode files, devcontainer.json, and terminal variables to run commands, exfiltrate GitHub tokens and Codespaces secrets, and leverage vulnerabilities like “0.0.0.0 Day” to expand access. #GitHubCodespaces #OrcaSecurity

Keypoints

Codespaces automatically respects and executes repository-defined VS Code configurations, exposing execution and secret-handling features to repository content.
Malicious JSON files in the .vscode folder or terminal variable settings can trigger arbitrary command execution, particularly on Linux via bash.
The devcontainer.json file can embed commands that run after container initialization, enabling post-startup code execution.
Exfiltrated GitHub tokens and Codespaces secrets can be abused to push code as maintainers, create malicious pull requests, and facilitate supply chain attacks.
Orca reported the issue to Microsoft, which said the behavior is intentional, and attackers could also use malicious extensions and the “0.0.0.0 Day” vulnerability to access local services or premium AI APIs.