Listen to this Post
Introduction
A newly disclosed zero-day vulnerability in Visual Studio Code’s github.dev web-based editor allows attackers to steal full-privilege GitHub OAuth tokens with just a single malicious click. By chaining together a malicious Jupyter notebook file, JavaScript injection, and a silent extension installation bypass, attackers can exfiltrate a token that grants read/write access to all public and private repositories the victim has access to—not just the repository they clicked. The vulnerability highlights a dangerous gap in how modern development environments handle cross-origin messaging and locally trusted extensions.
Learning Objectives
– Understand how the github.dev message‑passing mechanism and local workspace extensions are exploited to bypass publisher trust checks.
– Learn to detect and mitigate such OAuth token theft through browser settings, token revocation, and extension allow‑listing.
– Implement defensive strategies including fine‑grained PATs, CLI revocation procedures, and runtime monitoring for unexpected API calls.
You Should Know
1. Anatomy of the One‑Click Exploit Chain
The attack begins when a victim clicks a specially crafted link pointing to a GitHub repository that contains a malicious Jupyter Notebook (.ipynb) file. As soon as github.dev opens, GitHub automatically POSTs an OAuth token to the browser session—a token that is not scoped to the specific repository; instead, it has full access to every repository the user can reach, including private ones.
Inside the notebook, a hidden HTML snippet (using an `onerror` handler) executes attacker‑controlled JavaScript inside a sandboxed webview iframe. VS Code webviews are normally used to render Markdown previews or notebooks, but this exploit abuses them to simulate keyboard events in the main editor window via the `postMessage` API. The malicious JavaScript waits a few seconds for VS Code to surface a notification asking the user to install an extension, then fires a simulated `Ctrl+Shift+A` keystroke—the default shortcut for “Accept Notification Primary Action.” This silently approves the installation of an attacker‑controlled extension.
The attack bypasses the normal publisher trust prompt by using a feature called local workspace extensions. Any extension placed in a repository’s `.vscode/extensions` folder can be installed without any trust dialogue because VS Code treats it as part of the workspace rather than a third‑party download. Once installed, the malicious extension simply reads the pre‑loaded GitHub OAuth token from the runtime environment and exfiltrates it to an attacker‑controlled server, then calls `https://api.github.com/user/repos` to enumerate all private repositories the victim can access.
> Windows / macOS / Linux – Check currently authorized OAuth apps:
> “`bash
> List OAuth apps authorized with your GitHub account (manual step)
> gh auth status
>
> For deeper inspection, visit directly in browser:
> https://github.com/settings/applications
> “`
2. Immediate Mitigation: Clearing GitHub.dev Site Data
Because the vulnerability is not yet fully patched, the most immediate protection is to remove the persistent token that GitHub automatically passes to github.dev. Clearing cookies and local site data for `github.dev` forces the browser to re‑authenticate the next time you open a github.dev link, which will then display the “The extension ‘GitHub Repositories’ wants to sign in using GitHub” warning instead of silently passing the token.
Step‑by‑step guide to clear github.dev site data:
1. Chrome / Edge
– Open `github.dev` in any tab.
– Click the padlock (🔒) icon in the URL bar.
– Select Cookies and site data > Manage on‑device site data.
– Find `github.dev` and click the trash icon to remove all cookies and site data.
– Click Done and reload the page.
2. Firefox
– Navigate to `github.dev`.
– Click the shield icon or lock icon in the URL bar.
– Choose Clear Cookies and Site Data.
– Confirm the action.
3. Safari
– Go to `github.dev`.
– Click Safari menu > Preferences > Privacy.
– Click Manage Website Data, search for `github.dev`, and remove it.
> Linux / Windows – Use command line to clear browser storage for github.dev (Chromium‑based):
> “`bash
> Close all browser instances first
> On Linux (Google Chrome)
> rm -rf ~/.config/google-chrome/Default/Storage/ext/https_github.dev_0.localstorage
>
> On Windows (PowerShell as admin)
> Remove-Item -Path “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Local Storage\leveldb” -Recurse -Force
> “`
After clearing, the next time you open a github.dev link you will see the expected trust dialog, giving you an opportunity to reject malicious extension installations.
3. Revoking Stolen Tokens Using GitHub CLI and Web Interface
If you suspect your token has already been compromised, immediate revocation is critical. GitHub OAuth tokens issued via the github.dev flow are listed under Authorized OAuth Apps in your GitHub account settings.
Step‑by‑step token revocation:
– Using the web interface:
1. Log into GitHub and navigate to Settings (avatar > Settings).
2. In the left sidebar, click Applications.
3. Under Authorized OAuth Apps, find “GitHub Repositories” or any suspicious app.
4. Click the Revoke button next to it.
5. Confirm revocation.
– Using GitHub CLI (gh) – revoke all CLI‑generated tokens:
> ⚠️ This revokes all tokens ever generated by GitHub CLI across all your devices.
Log out and revoke tokens (web‑based step) gh auth logout Then visit https://github.com/settings/applications, select "GitHub CLI", and click Revoke Access
– Revoke an individual token programmatically (requires token ID):
List authorized tokens (requires user:read scope) curl -H "Authorization: token YOUR_VALID_TOKEN" https://api.github.com/applications/grants Then revoke a specific grant: curl -X DELETE -H "Authorization: token YOUR_VALID_TOKEN" https://api.github.com/applications/grants/GRANT_ID
After revocation, immediately rotate any other secrets that might have been exposed and check repository audit logs for unauthorized pushes or changes.
4. Hardening VS Code Against Local Workspace Extensions Abuse
The attack’s success depends on VS Code’s default behavior of trusting any extension placed in the `.vscode/extensions` folder. Enterprises and individual developers can enforce strict extension policies to block this vector.
VS Code settings to restrict extension installations (Linux / Windows / macOS):
1. Open VS Code and go to Preferences > Settings (`Ctrl+,`).
2. Search for `extensions.allowed` (introduced in VS Code 1.96).
3. Configure an allow‑list of extensions that are permitted to run. For example:
{
"extensions.allowed": {
"publisher.extensionName": true,
"ms-python.python": true
}
}
Any extension not in the allow‑list will be disabled automatically.
4. Disable local workspace extensions completely by setting:
{
"extensions.supportUntrustedWorkspaces": false
}
5. Enable Workspace Trust and set it to require explicit trust for every folder:
{
"security.workspace.trust.enabled": true,
"security.workspace.trust.banner": true
}
6. Block known malicious extensions using the `Permission Guard` extension or by adding blocked IDs to settings:
{
"permissionGuard.blockedExtensionIds": ["unknown-publisher.suspicious-extension"]
}
> For enterprise environments – deploy via Group Policy (Windows) or configuration file (Linux/macOS):
> – Windows: Place a `settings.json` with the above policies in `%APPDATA%\Code\User\`.
> – Linux/macOS: Use `/etc/Code/User/settings.json` for system‑wide enforcement.
5. Least Privilege: Replacing Wide‑Scope Tokens with Fine‑Grained PATs
The underlying issue is that GitHub’s github.dev OAuth token has no repository scoping—once stolen, it grants full access to everything. The best defense is to avoid using such wide‑scope tokens altogether and switch to fine‑grained personal access tokens (PATs) for all CLI and API interactions.
What are fine‑grained PATs?
Unlike classic PATs (which have broad scopes like `repo` that give access to all repositories), fine‑grained PATs allow you to specify exactly which repositories, which organizations, and which permissions the token can access. They also support expiration times (1–90 days) and can be rotated easily. GitHub now enables fine‑grained PATs by default for all organizations.
Step‑by‑step: Generate and use a fine‑grained PAT
1. Create a fine‑grained PAT
– Go to GitHub Settings > Developer settings > Personal access tokens > Fine‑grained tokens.
– Click Generate new token.
– Set a token name and expiration (e.g., 30 days).
– Under Repository access, choose Only select repositories and pick exactly the repos your tool needs.
– Under Permissions, grant only the minimum required (e.g., `Contents: read` for a CI pipeline).
– Click Generate token and copy it immediately—you won’t see it again.
2. Use the fine‑grained PAT in VS Code or CLI
For Git operations git clone https://[email protected]/owner/repo.git For GitHub CLI (gh) export GITHUB_TOKEN="github_pat_xxxxxxxxxxxx" gh repo list --limit 10
3. Audit and revoke fine‑grained PATs
List all fine‑grained tokens (via API) curl -H "Authorization: token YOUR_ACCESS_TOKEN" https://api.github.com/user/personal-access-tokens Revoke a token curl -X DELETE -H "Authorization: token YOUR_ACCESS_TOKEN" https://api.github.com/user/personal-access-tokens/TOKEN_ID
Why this matters: If a fine‑grained PAT is stolen, the attacker can only access the specific repositories and actions you explicitly allowed—not your entire GitHub account. This reduces the blast radius from “full account compromise” to “isolated repository breach.”
6. Monitoring and Detecting Unauthorized GitHub API Access
Even if an attacker steals a token, you can detect the breach by monitoring GitHub audit logs and unexpected API calls.
Step‑by‑step detection:
1. Enable GitHub audit logging (for organizations):
– Go to Organization Settings > Audit log.
– Filter for events like `oauth_access_token.revoked`, `repo.create`, or `git.push`.
2. Monitor API calls to `/user/repos` – this endpoint is directly used by the malicious extension to enumerate all your repositories.
– Use GitHub’s Security tab > Secret scanning to check for leaked tokens.
3. Set up runtime monitoring for your IDE:
– Install an extension like “Security Audit for VS Code” that logs every network request made by extensions.
– Alternatively, use a local proxy like Burp Suite or mitmproxy to inspect outgoing requests from VS Code webviews.
Start mitmproxy to monitor VS Code traffic (Linux/macOS) mitmweb --listen-port 8080 Then launch VS Code with proxy settings: code --proxy-server="http://localhost:8080"
4. Check for unauthorized private repository enumeration using the GitHub CLI:
List all repositories accessible by the current token gh api user/repos --paginate --jq '.[].full_name' If you see repositories you don't recognize, your token may be compromised
5. Review the token’s last used time and IP:
– Go to Settings > Applications > Authorized OAuth Apps.
– Look for the “GitHub Repositories” app and check its last used timestamp.
– If the timestamp does not match your activity, revoke it immediately.
What Undercode Say
– Key Takeaway 1: A single malicious click on a github.dev link can silently steal an unbounded GitHub OAuth token, granting attackers full read/write access to all your public and private repositories—a catastrophic failure of least privilege in the default design.
– Key Takeaway 2: The root causes are threefold: GitHub OAuth tokens passed to github.dev have no repository scoping; VS Code webviews can simulate keyboard events across trust boundaries; and local workspace extensions install without any publisher verification. Until Microsoft addresses these design flaws, developers must manually clear browser site data, enforce extension allow‑lists, and migrate to fine‑grained PATs for every API and CLI interaction.
Analysis: This zero‑day is not just a bug; it reveals a systemic trust issue in modern cloud‑based IDEs. The developer community has long treated “click a link to open a repository” as safe—but the combination of cross‑origin message passing, hidden HTML snippets, and silent extension installation creates a perfect supply‑chain attack vector. Ammar Askar’s decision to publicly disclose the exploit within one hour of notifying GitHub reflects growing frustration with Microsoft’s Security Response Center (MSRC), which previously dismissed similar VS Code bugs as “low severity” or silently fixed them without credit. For defenders, the lesson is clear: never assume an IDE’s sandbox is secure, always clear persistent auth tokens after use, and treat every `.ipynb` file in an untrusted repository as a potential entry point for a full account takeover.
Prediction
– -1: Proliferation of IDE‑targeted supply‑chain attacks – Over the next 12 months, similar vulnerabilities will be discovered in other cloud‑based IDEs (e.g., CodeSandbox, Replit, GitPod), as they all rely on OAuth token passing and webview sandboxes. Attackers will weaponize notebook files and markdown previews to inject malicious JavaScript, leading to a wave of developer credential theft.
– -1: Microsoft’s delayed patch cycle will cause real‑world exploits – Because no CVE has been assigned yet and the fix is only “under development,” threat actors have a window of weeks or months to craft phishing campaigns using the publicly available PoC. Expect large‑scale targeting of open‑source maintainers and enterprise GitHub users.
– +1: Mandatory move toward fine‑grained PATs and OIDC – This incident will force GitHub and Microsoft to accelerate deprecation of classic PATs and default to fine‑grained, repository‑scoped tokens for all browser‑based IDE sessions. Within one year, github.dev will likely require explicit, per‑repository authorization instead of a global OAuth token, dramatically reducing the impact of similar token theft attacks.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Cybersecuritynews Share](https://www.linkedin.com/posts/cybersecuritynews-share-7467760585057726465-B08D/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
