Overview
- Researcher Ammar Askar publicly released proof‑of‑concept exploit code on Wednesday after notifying GitHub roughly one hour earlier.
- The attack abuses github.dev’s webview message passing to run malicious JavaScript that simulates keypresses in the main editor and triggers installation of a rogue extension.
- OAuth tokens are POSTed by github.com to github.dev and are not limited to the single repo in view, so stolen tokens can read and write all repositories the user can access, including private repos.
- Microsoft has acknowledged the vulnerability, said VS Code Desktop is unaffected, and is working on a patch but no official fix has been released yet.
- Security guidance urges immediate steps such as clearing github.dev site data, rotating tokens and keys, restricting or blocking untrusted extensions, and running secret scans because the flaw raises serious developer credential and supply‑chain risk.