Overview
- Security researcher Ammar Askar publicly released technical details and proof-of-concept code on June 2 that demonstrates a one-click attack against github.dev.
- The exploit runs JavaScript inside a VS Code webview to simulate keypresses, open the Command Palette, and silently install an attacker-controlled extension.
- Installed extensions then extract the OAuth token that github.com posts to github.dev, and the token is not limited to a single repo so it can read and write every repository the user can access.
- Microsoft has acknowledged the report and said it is working on a fix and that VS Code Desktop is not affected according to an internal Microsoft statement.
- Users and organizations are urged to clear github.dev site data to force reconsent, restrict extension installs, rotate tokens and secrets, and run secret scans because stolen tokens can expose private repos and developer supply chains; the disclosure follows recent incidents involving malicious VS Code extensions and strained relations between some researchers and Microsoft's security response team.