VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click

The newly revealed VS Code zero‑day exploits the editor’s webview messaging system to run arbitrary JavaScript, which then silently installs a malicious extension. Once the extension is active, it intercepts the OAuth token that GitHub passes to the browser‑based github.dev environment, allowing the attacker to call the GitHub API and list every private repository the victim can access. Because the token is not scoped to a single repository, the breach can expose entire codebases across an organization with a single click.

This incident underscores a growing security challenge for developer‑focused tools. As integrated cloud services become standard in IDEs, the attack surface expands beyond traditional desktop software. Microsoft’s delayed patching and the absence of a CVE identifier have drawn criticism from the security community, echoing earlier disputes with the “Nightmare Eclipse” researcher who exposed multiple Microsoft zero‑days. The friction highlights the need for clearer, faster coordination between product teams and independent researchers to mitigate risks before public disclosure.

For enterprises, the immediate mitigation is simple: clear cookies and site data for github.dev to force a sign‑in prompt that warns users about extension installation. Longer‑term strategies include enforcing strict extension policies, monitoring OAuth token usage, and employing zero‑trust principles for developer environments. As the ecosystem evolves, organizations should prioritize rapid patch adoption and maintain open channels with security researchers to stay ahead of similar supply‑chain threats.