A critical security vulnerability in Visual Studio Code’s webview implementation has been publicly disclosed, allowing attackers to steal GitHub OAuth tokens and gain complete read/write access to all private repositories a victim controls — triggered by nothing more than a single click on a malicious link.
The Bug: How VSCode’s Webview Architecture Is Exploited
GitHub’s browser-based editor at github.dev automatically receives a broad, unscoped OAuth token whenever a user navigates there from github.com. That token grants access to every repository the user can reach, not just the one they opened. Combined with the nearly full VSCode TypeScript engine running in-browser, this creates a high-value target.
VSCode isolates untrusted content inside <iframe> webviews served from a separate vscode-webview:// origin. However, a did-keydown event handler forwards every keyboard event from inside the webview to the main VSCode window via postMessage(). Untrusted JavaScript in a webview can synthesize fake keydown events, effectively bridging the security boundary between untrusted content and privileged editor APIs.
The Five-Stage Exploit Chain
Security researcher Ammar Askar published a full proof-of-concept on June 2, 2026, demonstrating a complete token-steal chain that requires zero interaction beyond the initial click. The attack proceeds in five stages:
- Stage 1 – Malicious Jupyter Notebook: A crafted
.ipynbfile uses an HTML image tag with anonerrorhandler to execute arbitrary JavaScript inside a webview iframe. - Stage 2 – Synthetic Keypress: The payload dispatches a fake Ctrl+Shift+A keydown event, mapping to “Notifications: Accept Notification Primary Action,” silently accepting a malicious extension installation prompt.
- Stage 3 – Extension Bypass: Instead of installing from the Marketplace (which triggers a trust dialog), the attacker places the extension directly in
.vscode/extensions/, bypassing publisher trust checks. - Stage 4 – Keybinding Trick: A custom keybinding calls
workbench.extensions.installExtensionwithskipPublisherTrust: trueto overcome Content Security Policy restrictions. - Stage 5 – Token Exfiltration: The installed extension accesses the preloaded GitHub OAuth token and calls the GitHub API to enumerate and exfiltrate all accessible private repositories.
The entire payload executes in under a minute. On desktop VSCode, the consequence is even worse — a successful exploit achieves full Remote Code Execution because extensions have unrestricted access to Node.js APIs including child_process.
Scope and Impact
The stolen OAuth token is not scoped to a single repository. An attacker can silently read, modify, or push to every private repository the victim has access to. Since github.dev does not implement CSRF tokens, any link on the internet can redirect a victim into this attack path without any warning. The vulnerability affects both the browser-hosted github.dev and the desktop version of VSCode, though desktop exploitation requires the victim to clone and open the attacker’s repository.
Researcher’s Full Disclosure Decision
Askar chose full public disclosure without coordinating with Microsoft, citing a prior negative experience with the Microsoft Security Response Center (MSRC). He notified a GitHub security contact just one hour before publishing. This decision has reignited debate in the security community about responsible disclosure timelines and vendor accountability when vendors fail to engage constructively with researchers.
Immediate Mitigations
- Clear all site data for github.dev in your browser — in Chrome, navigate to the URL bar icon, select “Cookies and site data,” and delete all github.dev entries. This re-enables an initial consent dialog.
- Avoid clicking unknown github.dev links until Microsoft or GitHub issues a patch.
- Audit all extensions currently installed on github.dev and remove any unrecognized ones.
- Monitor GitHub audit logs for unexpected repository access and revoke any unaccounted-for OAuth tokens.
- Organizations with highly sensitive codebases should consider blocking employee access to github.dev entirely until a patch is available.