Microsoft Patches Critical VS Code Flaw That Exposed GitHub Tokens

Microsoft has patched a critical vulnerability in Visual Studio Code that could allow attackers to steal GitHub OAuth tokens with a single click.

Researcher Ammar Askar disclosed the flaw on June 2, 2026. Microsoft shipped a fix the next day.

The attack targets GitHub.dev, the browser-based version of VS Code. It exploits the webview system, which renders embedded content inside the editor.

A malicious link opens a GitHub.dev workspace containing a Jupyter notebook with harmful JavaScript. The script simulates keyboard events, installs a malicious extension, and exfiltrates the GitHub OAuth token.

The patch adds a confirmation prompt for certain file types and blocks harmful extension commands.

This follows a May 20, 2026, breach where a poisoned VS Code extension compromised roughly 3,800 internal GitHub repositories.