// GitHubCRITICAL
A critical vulnerability in Visual Studio Code's webview implementation allows attackers to steal GitHub OAuth tokens with full repository access via a single malicious link. Researcher Ammar Askar disclosed a complete exploit chain on June 2, 2026, demonstrating token exfiltration through malicious .ipynb files and synthetic keyboard events that trigger silent extension installation. The attack affects both github.dev and desktop VS Code, with proof-of-concept code publicly released.
- 1-Click GitHub Token Vulnerability Lets Attackers Steal Users' O(opens in a new tab)
- Another bug hunter leaks Microsoft exploits in defiance of compa(opens in a new tab)
- One Click Could Hand Over Your Entire GitHub Account: New VS Cod(opens in a new tab)
- VS Code Vulnerability Allows One-Click GitHub Token Theft - Secu(opens in a new tab)
- VS Code Zero-Day Vulnerability Steals GitHub Tokens(opens in a new tab)
- Active Exploitation Alert: Critical VS Code Zero-Day Enables One(opens in a new tab)
// Get alerts for GitHub