Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1945+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click
VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click
NEWS

VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click

A security researcher has released exploit code for a Visual Studio Code zero-day vulnerability that allows attackers to steal GitHub authentication tokens by…

Dylan H.

News Desk

June 3, 2026
4 min read

A security researcher has publicly released proof-of-concept exploit code targeting a zero-day vulnerability in Visual Studio Code that enables attackers to silently steal GitHub authentication tokens — requiring only that the target clicks a single specially crafted link.

The disclosure raises immediate concerns for the tens of millions of developers who rely on VS Code's integrated GitHub authentication for daily workflows.

How the Attack Works

The zero-day exploits VS Code's URI handling and its deep integration with GitHub's OAuth token flow. When a user clicks a malicious link — which could be delivered via email, chat platforms, a GitHub issue, or a compromised webpage — the exploit triggers VS Code to initiate a token exchange that routes the resulting authentication token to an attacker-controlled endpoint instead of the legitimate GitHub service.

Because the entire flow mimics a legitimate VS Code-to-GitHub authentication handshake, most users and endpoint security tools have no way to distinguish the attack from normal behavior.

Attack Flow

  1. Victim receives a link crafted with a malicious vscode:// or vscode-insiders:// URI
  2. VS Code auto-handles the URI scheme and initiates a GitHub authentication callback
  3. Token is silently exfiltrated to the attacker's server before any user prompt appears
  4. Attacker gains persistent access to the victim's GitHub account using the stolen token

The researcher who discovered the flaw describes it as a "one-click, zero-interaction theft" — the victim sees nothing unusual and receives no warning dialogs.

Scope and Impact

A stolen GitHub personal access token (PAT) or OAuth token grants an attacker:

  • Full read/write access to all repositories the victim has access to
  • Ability to push malicious code to open source projects, corporate codebases, or personal repositories
  • Access to GitHub Actions workflows, enabling supply chain attacks
  • Organization-level access if the victim belongs to GitHub organizations

Given VS Code's dominance among developers — with over 70% market share in IDE usage surveys — the potential blast radius is enormous. Supply chain attacks originating from stolen developer tokens have become one of the most consequential threat vectors in 2026.

Researcher Disclosure

The researcher released a full proof-of-concept alongside the disclosure, citing Microsoft's slow response to their private report. The PoC is now publicly available, meaning threat actors have immediate access to working exploit code.

As of publication, no patch is available. Microsoft has acknowledged the report and confirmed the issue is under investigation.

Mitigation Steps

Until Microsoft releases a patch, developers can take the following steps to reduce exposure:

  1. Revoke existing GitHub tokens associated with VS Code under GitHub Settings → Developer Settings → Personal access tokens
  2. Disable VS Code URI handling in system settings where possible
  3. Be suspicious of any link that would launch or interact with VS Code, especially in GitHub issues, emails, or chat messages
  4. Monitor GitHub audit logs for unexpected token creations or repository access from unfamiliar IP addresses
  5. Use fine-grained tokens with minimal permissions rather than classic broad-scope tokens
  6. Enable GitHub's token expiry settings to limit the window of token abuse
# List your active GitHub tokens via CLI
gh auth token
gh api user/installations
 
# Revoke all VS Code OAuth apps via GitHub settings
# Settings → Applications → Authorized OAuth Apps → Revoke

Broader Implications

This zero-day follows a string of developer tool compromises in 2026, including the Trivy supply chain attack, the Axios npm package hijack, and the Grafana GitHub token breach — all of which leveraged stolen developer credentials to pivot into broader infrastructure. The pattern underscores that developer workstations and tooling are now high-value targets in the modern threat landscape.

The security community is urging Microsoft to treat developer toolchain security with the same urgency as enterprise endpoint security, given the outsized impact that compromising a single developer's environment can have on downstream software supply chains.


Patch status: Under investigation by Microsoft. Check the VS Code release notes for updates.

#Zero-Day#Vulnerability#Visual Studio Code#GitHub#Token Theft#Developer Security

Related Articles

Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal

Microsoft condemns uncoordinated public zero-day disclosure, urging the security community to adopt CVD after removing a researcher's GitHub account.

8 min read

Inc Ransomware Exploits Chained SonicWall SMA Zero-Days for Root Access

The Inc ransomware group is actively exploiting two chained zero-day vulnerabilities in SonicWall Secure Mobile Access appliances. When combined, the flaws allow unauthenticated attackers to gain root-level control over SMA devices.

4 min read

Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Multiple threat campaigns are leveraging disposable 'ghost' GitHub accounts to conduct mass reconnaissance against organizations, systematically mapping...

5 min read
Back to all News