Summarize with:

Share
Security researcher Ammar Askar disclosed a one-click attack against github.dev, GitHub's browser-based VS Code experience, that can steal a user's full GitHub OAuth token through a malicious repository. According to the research, the bug sits in VS Code's webview event handling and can be abused to install an attacker-controlled extension, which then reads the victim's GitHub token and queries repositories the victim can access, including private ones.
The critical point is scope. Askar says the token passed from github.com to github.dev is not limited to the repository the user opened. It grants access across other repositories the user can reach. That turns a single malicious repository visit into a broader Credential Theft and source exposure problem for individual developers, maintainers, and enterprise engineering teams.
GitHub's github.dev feature opens repositories inside a lightweight browser-hosted VS Code environment. To make editing and pull requests work, github.com posts an OAuth token to github.dev so the web app can act on the user's behalf.
Askar's report says the problem is in how VS Code webviews bubble keyboard events back to the host application. Webviews are supposed to isolate untrusted content, but the implementation allowed JavaScript running inside the untrusted webview to emit keydown events that the main VS Code window treated as if they were genuine user inputs.
That breaks a core Access Control assumption. Instead of only rendering attacker-controlled content inside a sandbox, the malicious content can drive trusted UI actions in the host editor.
Askar's proof of concept uses a crafted repository containing:
.vscode/extensions.jsonThe reported chain works like this:
github.dev link to the malicious repositoryAccording to Askar, the result is not just repository browsing inside the current tab. The stolen token can read and write to repositories the user can access, including private ones. GitHub's OAuth scope documentation reinforces why the impact is broad: the repo scope provides full access to public and private repositories, while workflow also allows changes to GitHub Actions workflow files.
The research focuses on a subtle but important boundary failure.
VS Code webviews use a separate origin to isolate untrusted content. However, for usability reasons, keyboard events inside a webview are forwarded to the main editor so shortcuts still work. Askar shows that an attacker can exploit this feature by fabricating the same events from JavaScript inside the untrusted webview.
That means the security boundary was not broken through classic XSS against the main editor window. It was bypassed through trusted message-handling behavior that gave untrusted content a way to drive privileged editor actions.
The primary attack surface described in the report is github.dev in the browser. The one-click aspect comes from sending a victim directly to a malicious repository page hosted in the web editor.
Askar also notes the vulnerability affects the desktop version of VS Code, although exploitation there is harder because the attacker must convince the victim to clone a crafted repository and open the malicious notebook locally.
The report adds two important conditions:
github.dev before and has cleared site data, an initial dialog may provide a chance to back outThis issue is not just another malicious extension story. It demonstrates how developer tooling can turn UI trust decisions into credential exposure.
Three points matter most:
Askar explicitly says the OAuth token used by github.dev is not scoped only to the repository the victim opened. That significantly raises blast radius.
The initial foothold is attacker-controlled content inside a notebook preview. The end state is an installed extension running with much stronger capabilities inside the editor environment.
This is a direct reminder that Developer Security is not only about build pipelines and package registries. Browser-based IDEs, extension flows, and trust prompts are equally important control points.
Organizations that allow broad use of github.dev should treat this as an active browser-side developer tooling risk, especially for users with access to private repositories or sensitive internal source code.
Askar specifically recommends clearing local site data for github.dev so the initial dialog appears again and gives users a chance to stop unexpected launches.
This case shows that extension recommendations and workspace features can become part of an attack chain. Engineering teams should review where extension installation is allowed and how much autonomy browser-based tooling has.
The GitHub OAuth token handed to github.dev should be treated as a high-value secret. Monitoring and response plans should assume that browser-hosted developer environments can become token theft targets.
github.devgithub.dev on high-value developer systems and shared browsersgithub.dev launchesThe strongest lesson here is that developer tools now blend browser application complexity, extension ecosystems, and privileged identity tokens in one place. That combination creates failure modes that look like UI bugs but have the impact of secret theft.
Askar's write-up also shows why "it's just a browser editor" is the wrong security model. Once a browser-hosted tool can install extensions, access repositories, and act on behalf of a logged-in developer, its trust boundaries deserve the same scrutiny as a desktop IDE or privileged enterprise app.
It is GitHub's web-based editor experience that opens repositories in a lightweight browser-hosted VS Code environment.
According to the research, the attacker steals the GitHub OAuth token passed to github.dev, then uses it to access repositories the victim can read or write.
Yes. Askar says the token is not limited to the current repository and can access private repositories the victim is authorized to use.
The report says yes, but exploitation there is harder because the attacker must get the victim to clone and open a malicious repository locally.
Askar's timeline says he disclosed the issue on June 2, 2026. Microsoft then applied a stopgap fix on June 3, 2026 by adding a notebook-opening confirmation in web VS Code and hardening extension installation so attacker-controlled context could no longer skip publisher trust checks.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
vulnerabilityGitea Docker flaw turns a trusted proxy header into account takeover Gitea has fixed a critical authentication bypass in its official Docker images that could l...
vulnerabilityU-Boot FIT signature flaws expose a fragile pre-OS trust boundary Firmware security company Binarly has disclosed six vulnerabilities in U-Boot's FIT signature...
vulnerabilityMicrosoft Defender RoguePlanet fix closes a SYSTEM-level escalation path Microsoft has released a fix for CVE-2026-50656, the Microsoft Defender vulnerability p...