One-Click GitHub.dev Attack Enables Full OAuth Token Theft

Security researcher Ammar Askar has disclosed a one-click attack vector that exploits GitHub.dev's integration with Microsoft Visual Studio Code to steal full-access GitHub OAuth tokens. The vulnerability allows attackers to compromise tokens with read and write access to all repositories—including private ones—simply by convincing a victim to click a malicious link. GitHub was notified on June 2, 2026, with details published publicly just one hour later.

Attack Vector: Exploiting GitHub.dev's OAuth Implementation

GitHub.dev provides a lightweight, browser-based VS Code environment that allows users to edit code, send pull requests, and make commits directly from their browser. To enable this functionality, github.com transmits an OAuth token via POST request to github.dev, granting the web-based editor permission to interact with GitHub on the user's behalf.

The critical security flaw lies in the token's scope: rather than being limited to the specific repository a user is working on, the OAuth token provides full access to every repository the user can access. This design decision creates an attractive target for attackers, as a single compromised token grants blanket access to an organization's entire codebase.

Technical Exploit Chain

The attack exploits VS Code's message-passing mechanism between the main editor window and webviews. Webviews render content like Markdown previews and Jupyter notebooks, operating with specific security boundaries. Askar's exploit chains multiple VS Code features to bypass security controls:

• Malicious JavaScript executes within an untrusted webview to simulate keypresses (keydown events) in the main editor window
• Simulated keypresses trigger "Ctrl+Shift+P" to open VS Code's Command Palette
• The exploit installs an attacker-controlled extension without user interaction
• The malicious extension extracts the GitHub OAuth token when passed to GitHub.dev
• The compromised token queries the GitHub API to enumerate all accessible private repositories

Bypassing Publisher Trust Controls

A critical component of the attack leverages VS Code's "local workspace extensions" feature. This mechanism allows extensions placed in the ".vscode/extensions" folder within a workspace to install directly without presenting additional trust dialog prompts, effectively bypassing the publisher trust check that normally protects users from unverified extensions.

Askar noted that while this could be seen as a security obstacle, extensions can contribute custom keybindings through their package.json configuration. Since the exploit can reliably trigger arbitrary keybindings, attackers can add a keybind for commands like installing extensions while skipping the trusted publisher check entirely. This eliminates the final barrier between a malicious link and complete repository access.

Controversial Disclosure Timeline

The researcher disclosed details of the vulnerability publicly just one hour after notifying GitHub on June 2, 2026. Askar justified this unusually brief disclosure window by citing Microsoft's historical handling of VS Code-related security issues. This approach diverges significantly from standard responsible disclosure practices, which typically allow vendors 90 days to develop and deploy patches before public disclosure.

Scope and Limitations

The vulnerability specifically affects GitHub.dev's browser-based VS Code environment. Users of VS Code Desktop are not vulnerable to this attack vector, as Microsoft has confirmed. However, the widespread adoption of GitHub.dev as a lightweight editing tool means millions of developers potentially encounter this attack surface during normal workflows.

The attack requires social engineering—victims must click a malicious link to trigger the exploit. However, the one-click nature of the attack and the lack of visible warning signs make this a realistic threat. Attackers could distribute malicious links through phishing campaigns, compromised documentation sites, or even legitimate-looking GitHub issues and pull requests.

Immediate Mitigation Strategies

Until Microsoft deploys a comprehensive fix, organizations should implement defensive measures to reduce exposure:

• Avoid clicking untrusted links that open GitHub.dev, particularly from unknown sources or unexpected contexts
• Review OAuth token permissions and revoke tokens with excessive scope through GitHub security settings
• Implement GitHub's fine-grained personal access tokens with repository-specific permissions where possible
• Monitor GitHub audit logs for unusual API activity patterns, particularly bulk repository enumeration
• Consider temporarily restricting GitHub.dev usage through organizational policies until patches are available
• Educate development teams about the attack vector and social engineering risks
• Use VS Code Desktop for sensitive repository operations rather than browser-based editors

Broader Supply Chain Implications

This vulnerability represents the latest in a series of developer-focused attacks targeting the software supply chain. With access to private repositories, attackers can inject malicious code into proprietary applications, steal intellectual property, harvest credentials and API keys embedded in source code, and establish long-term persistence within development pipelines.

The one-click attack complexity combined with full repository access makes this vulnerability particularly dangerous for organizations with extensive private codebases. Security teams should treat this as a critical credential security incident and immediately audit OAuth token usage across their development infrastructure. The compressed disclosure timeline means attackers may already be developing exploits, making rapid response essential.