Skip to content
hacker_posts

VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click

Researcher Ammar Askar dropped a webview-postMessage exploit on June 2 that steals github.dev OAuth tokens via a single click. Microsoft shipped a stopgap fix the next day.

Published 5 min read
advisoryvscodegithubmicrosoftsupply-chain

Security researcher Ammar Askar publicly disclosed a zero-day in github.dev and the desktop VS Code webview on June 2, 2026 that lets an attacker steal a victim's GitHub OAuth token with a single click on a malicious Jupyter notebook link. The token returned by github.com's automatic POST to github.dev is scoped to every repository the victim can read or write — public and private — not just the one they opened. Microsoft acknowledged the flaw the same day and shipped a mitigation on June 3. No CVE has been assigned.

What the bug does

The flaw lives in the window.postMessage channel that VS Code's main editor uses to forward keyboard events between the chrome and sandboxed webviews. A webview is allowed to post synthetic keydown events that the main window dispatches as if a user had typed them. Askar's PoC abuses that primitive from inside a hostile Jupyter notebook rendered on github.dev:

  1. The notebook embeds a webview running attacker JavaScript.
  2. The webview simulates Ctrl+Shift+P to open the Command Palette.
  3. It then types the install command for an attacker-controlled extension.
  4. The extension activates on load, reads the GitHub OAuth token that github.dev was handed when the session opened, and exfiltrates it via the GitHub API.

The lever is that github.com's session bootstrap on github.dev hands the editor a token scoped to the user's entire repo set — not the repo the user clicked on. With the token in hand the attacker enumerates and clones every accessible private repository through the API.

Affected surface

  • github.dev — the browser-based VS Code at https://github.dev. Direct hit; victim clicks a crafted link, exploit chain runs.
  • Desktop VS Code — the same webview primitive exists. Exploitation requires the attacker to convince the target to clone a repo and open the notebook, raising the bar, but the same token-theft outcome is reachable.

The desktop scenario is what The Register flagged as the broader risk — anyone who routinely opens unfamiliar notebooks from public repos was inside the blast radius for the 24 hours between disclosure and mitigation.

Exploitation status

Askar published the proof of concept on GitHub at the time of disclosure. There is no public attribution of in-the-wild exploitation in the 24-hour window before Microsoft's June 3 fix, but the PoC is a working chain — assume any github.dev session opened during that window with a malicious link is suspect.

Microsoft's statement to The Hacker News says the issue "has been mitigated for our services and no customer action is required." The fix does two things: it prompts the user to confirm before opening certain file types on github.dev, breaking the one-click chain, and it blocks the extension-install commands the PoC relies on.

Action checklist

  1. Rotate any GitHub OAuth or personal access token that may have been minted by a github.dev session between June 2 and June 3, 2026, if the user opened a Jupyter notebook from an untrusted source. The github.dev token is not user-visible; rotation means rolling all PATs and reviewing OAuth app authorizations under Settings → Applications → Authorized OAuth Apps.
  2. Audit installed VS Code extensions for unfamiliar entries on accounts that used github.dev in that window. Extensions installed via the simulated Command Palette show up in the standard extensions list — there is no separate marker. Anything you do not recognize, remove and rotate.
  3. Review repository audit logs for unexpected git.clone or API enumeration activity from your account in the affected window. GitHub's git.clone events are visible under Settings → Audit log for org-owned accounts.
  4. Reload VS Code Desktop and ensure it has pulled the June 3 build. Microsoft pushed the change through the standard auto-update channel; users who disabled auto-update should refresh manually.
  5. Treat github.dev as a privileged context going forward. Opening an arbitrary repo on github.dev exposes the token covering every repo on the account — not the one in the URL bar.

Context

Askar explained the disclosure decision publicly: a prior VS Code bug he reported was silently patched by MSRC without credit or impact acknowledgment. He notified GitHub roughly an hour before posting and skipped Microsoft's normal coordinated channel. The Register's coverage frames this as the second public dustup in two months between an independent researcher and MSRC — following the "Chaotic Eclipse" series in April–May 2026 that produced PoCs for BlueHammer, YellowKey, RedSun, and UnDefend.

The structural lesson outlives the patch. github.dev's design — a session token scoped to the entire account, handed off via postMessage, rendered by a browser-grade JS runtime that can simulate keystrokes — is the kind of trust-boundary collision that web-based IDEs keep producing. Every IDE that runs untrusted content (notebooks, READMEs with images, MD previews) in a context that can reach the user's auth token is a single bypass away from the same outcome. The June 3 mitigation closes this chain; it does not close the class.

Related stories