// Alert

GitHub threat report

// GitHubCRITICAL

A critical vulnerability in Visual Studio Code's webview implementation allows attackers to steal GitHub OAuth tokens with full repository access via a single malicious link. Researcher Ammar Askar disclosed a complete exploit chain on June 2, 2026, demonstrating token exfiltration through malicious .ipynb files and synthetic keyboard events that trigger silent extension installation. The attack affects both github.dev and desktop VS Code, with proof-of-concept code publicly released.

// Get alerts for GitHub