1-Click GitHub Token Stealing via a VSCode Bug
- Security
- Developer Tools
- Open Source
- Infrastructure
The post walks through an exploit chain in vscode.dev and github.dev that ends with GitHub token theft after a single user action. The core trick is not “someone installed a sketchy extension on purpose.” It is that VS Code webviews, keyboard shortcuts, local workspace extensions, and GitHub’s automatic sign-in model could be combined so a malicious repo or redirected page nudged the browser IDE into installing code that then exfiltrated the user’s GitHub token. That matters because github.dev was running with the user’s normal GitHub account privileges, not a narrowly scoped token for just the repo they opened. So a bug reached far beyond one project.
Treat browser IDEs and coding agents as high-risk surfaces that should never hold broad, durable credentials. If your team uses github.dev, VS Code web, or similar tools, push for per-repo temporary tokens, stricter extension isolation, and an explicit review of where long-lived GitHub access is being handed out automatically.
-
blog.ammaraskar.com
- Discuss on HN