The VS Code Zero-Day That Lets Attackers Steal GitHub Tokens in a Single Click

He stated plainly he had "no interest" in dealing with the MSRC process again . The earlier bug was initially reported to GitHub's HackerOne program, which explicitly told him it was out of scope and to take it to MSRC — a bureaucratic handoff that left the finding uncompensated and unacknowledged .

How the Attack Works: A Four-Stage Chain

The exploit orchestrates three vulnerabilities into a seamless chain that bypasses every security boundary github.dev has.

1. Webview Keyboard Event Forwarding

VS Code's webviews — the isolated sandboxes that render Jupyter Notebooks, Markdown previews, and similar content — are designed to be secure compartments. But to make keyboard shortcuts work inside them, the editor forwards key events from the sandboxed webview into the main editor process .

2. Synthetic Keystroke Injection

A malicious Jupyter Notebook inside the attacker's repository dispatches synthetic keyboard events (Ctrl+Shift+A, Ctrl+F1) from the sandboxed webview straight into the VS Code main window . These keystrokes silently trigger the "Install Extension" command and bypass the publisher verification trust dialog that normally blocks untrusted extensions .

3. Local Workspace Extension Trust

The attacker's repository contains a pre-packaged VS Code extension stored in a .vscode/extensions folder. Because github.dev treats extensions that ship alongside the workspace as implicitly trusted, the malicious extension installs with absolutely no user permission prompt .

4. OAuth Token Exfiltration

Once running, the rogue extension gains full access to github.dev's runtime environment. That environment holds a GitHub OAuth token that github.com silently POSTs to github.dev when any repository is opened. Critically, this token is not scoped to the currently open repository — it carries the user's full access privileges . The extension extracts the token, queries the GitHub API for the victim's private repository list, and exfiltrates both the token and repository metadata to the attacker .

The result: complete read and write access to every public and private repository the victim can touch, achieved with one link click .

Microsoft's Response

Microsoft acknowledged the vulnerability on June 2, 2026, and confirmed it had been mitigated for its services — specifically github.dev and VS Code for the Web .

On June 3, Microsoft rolled out server-side fixes including a trust confirmation step when opening browser-based Notebooks, and blocking the extension install command from accepting arbitrary caller information . By June 4, additional webview event handling restrictions were deployed .

Microsoft stated the issue does not affect VS Code Desktop . However, the underlying pattern — trusting workspace extensions with insufficient verification — raises concerns for any VS Code user who opens untrusted repositories locally.

What Makes This Different

The exploit chain is remarkable for three reasons.

First, the attack surface is a URL. Victims don't download a file, open a terminal, or approve a permission. A browser link to github.dev is the only prerequisite.

Second, the token scope is alarmingly broad. The OAuth token github.com passes to github.dev is not limited to the repository being viewed. It carries the user's full GitHub permissions, meaning an attacker who compromises a developer working on a public open-source project also gains credentials for that developer's employer's private repositories .

Third, workspace trust is inverted. The feature that makes local development smooth — trusting extensions that ship with a project — becomes the very mechanism that grants the malicious payload automatic execution.

OpenClaw AI Agent: Five Zero-Day Identity Spoofing Flaws

In a parallel disclosure, researchers published five zero-day vulnerabilities in the OpenClaw AI agent framework that allow attackers to impersonate allowlisted users and hijack trusted AI agent access across multiple messaging platforms .

The root cause is architectural: OpenClaw supports 15 different channel adapters — Telegram, Slack, Discord, WhatsApp, and more — and each adapter independently implements its own allowlist authorization and webhook verification . The security-critical identity fields used for allowlisting, such as human-readable display names, are mutable at the platform level and are resolved to stable user IDs inconsistently across adapters .

Because there is no centralized policy enforcement layer, attackers can:

• Impersonate an allowlisted user on one channel by simply changing their display name to match an authorized identity .
• Exploit inconsistent identity resolution across different channel extensions to bypass trust checks that work on one channel but fail on another .
• Hijack the AI agent's access privileges — which often include shell access, API keys, and filesystem permissions — without needing any valid credentials .

A June 3, 2026 arXiv security analysis identified vulnerabilities across multiple architectural layers (execution policy, gateway, channel, sandbox, browser, plugin, and prompt), with the dominant structural pattern being per-layer, per-call-site trust enforcement rather than unified policy boundaries . The analysis found that discrete architectural weaknesses compose into complete unauthenticated remote code execution paths .

The Singapore Cyber Security Agency (CSA) issued an advisory in late May 2026 warning about unpatched vulnerabilities, weak access controls, and the risk of malicious third-party skills on the ClawHub marketplace .