One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

A one-click attack on VS Code's GitHub.dev feature allows attackers to steal full-access GitHub OAuth tokens by installing malicious extensions.

• •GitHub.dev runs VS Code in a browser and passes OAuth tokens that have read/write access to all user repositories.
• •Attackers exploit webview message-passing to simulate keypresses, open the Command Palette, and install malicious extensions.
• •The attack bypasses publisher trust checks using the local workspace extensions feature without additional prompts.
• •Extracted tokens can enumerate and access all private repositories the victim has access to.
• •VS Code Desktop is not affected; Microsoft is working on a fix after being notified on June 2, 2026.

This summary was automatically generated by AI based on the original article and may not be fully accurate.