Heat score
1Topic analysis
1-Click GitHub Token Stealing via a VSCode Bug
A security researcher named Ammaraskar discovered a one-click vulnerability in both the browser-based github.dev (VS Code) and desktop VS Code that allows attackers to steal users' GitHub tokens with full access to public and private repositories. The exploit leverages webview keydown event handling to bypass VS Code's extension publisher trust checks via local workspace extensions, and the researcher opted for public disclosure after a negative prior experience with Microsoft's Security Response Center (MSRC), warning that users who have previously used github.dev are at high risk unless they clear their browser's site data.
Sources
1Platforms
1Relations
1- First seen
- Jun 2, 2026, 11:29 PM
- Last updated
- Jun 3, 2026, 4:40 PM
Why this topic matters
1-Click GitHub Token Stealing via a VSCode Bug is currently shaped by signals from 1 source platforms. This page organizes AI analysis summaries, 1 timeline events, and 1 relationship edges so search engines and AI systems can understand the topic's factual basis and propagation arc.
News
Keywords
8 tagsGitHub token theftVS Code vulnerabilitygithub.dev exploitwebview keydown eventextension trust bypassone-click attackpublic security disclosureremote code execution
Source evidence
1 evidence items1-Click GitHub Token Stealing via a VSCode Bug
News · 1Jun 2, 2026, 11:29 PMOpen original source
Timeline
1-Click GitHub Token Stealing via a VSCode Bug
Jun 2, 2026, 11:29 PM
Related topics
Capstone 6.0.0-Alpha9 Released with Security Fixes and Pre-Release Version Update
disassembly frameworkpre-releasesecurity fixessoftware updatereverse engineeringCapstone 6.0.0-Alpha9
Relation score 0.30Open topic