Ravie LakshmananJun 03, 2026Vulnerability / Software Development

Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user's GitHub token.

"Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," security researcher Ammar Askar said.

GitHub supports a feature called GitHub.dev that runs as a lightweight web-based source code editor in the web browser's sandbox by launching a VS Code environment. It allows users to send pull requests and make commits.

"This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf," Askar said. "The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to."