A newly revealed VS Code flaw shows how a single click inside github.dev could expose powerful GitHub authentication tokens.
A newly disclosed vulnerability in Visual Studio Code is sending shockwaves through the developer community. Ammar Askar recently revealed that a single malicious click could be enough for attackers to hijack GitHub authentication tokens, potentially giving them access to private repositories, source code, CI/CD environments, and developer accounts.
The flaw affects the browser-based version of VS Code, commonly accessed through github.dev, Microsoft’s lightweight coding environment that runs directly inside a web browser. According to Askar, attackers can exploit weaknesses in VS Code’s webview security model to silently trigger actions that appear legitimate to the application.
What makes the issue particularly alarming is its simplicity. Unlike traditional attacks that rely on malware downloads or stolen credentials, this attack can begin with a single crafted link. Researchers demonstrated that malicious repositories or notebooks could abuse VS Code’s webview architecture to simulate keyboard shortcuts and automatically install a rogue extension in the background.
Once installed, the malicious extension can extract GitHub OAuth tokens and gain the same level of repository access as the victim, including read and write permissions across private projects.
Security experts warn the consequences could extend far beyond source code theft.
A compromised GitHub token can potentially allow attackers to inject malicious code into software projects, manipulate repositories, steal intellectual property, compromise CI/CD pipelines, and even launch large-scale supply-chain attacks affecting thousands of downstream users.
The attack is considered especially dangerous for github.dev users because browser-based workspaces are automatically trusted by default. In many cases, simply opening a specially crafted repository may be enough to initiate the attack chain.
Researchers also noted that users who previously authenticated with github.dev and retained local browser session data may face a greater risk of silent exploitation.
The disclosure comes at a time when developer platforms are increasingly becoming prime targets for cybercriminals. Just weeks ago, GitHub confirmed a separate breach involving a poisoned VS Code extension that reportedly led to the compromise of nearly 3,800 internal repositories after an employee’s device was infected.
Cybersecurity analysts say the incident reflects a growing reality: developers now hold some of the most valuable credentials inside modern organizations. Access tokens tied to GitHub accounts often provide direct pathways into production systems, cloud infrastructure, internal tooling, and sensitive enterprise codebases.
While the browser version presents the easiest attack surface, researchers warn the underlying issue may also affect desktop VS Code environments if victims open malicious repositories locally.
At the time of disclosure, no publicly announced patch had been widely rolled out, prompting experts to recommend immediate defensive measures. Developers are being urged to avoid opening untrusted repositories or links, regularly review active GitHub sessions, rotate sensitive tokens, clear github.dev browser data, and closely monitor repositories for suspicious activity.
Let’s refine your stalking skills, go through our Instagram and LinkedIn.
