A severe vulnerability has been disclosed in Visual Studio Code (VS Code) that allows attackers to steal a user's GitHub token, potentially granting access to their repositories. The vulnerability, found by researcher Ammar Askar, is exploitative through a crafted Jupyter notebook that, when opened in a web version of VS Code, can install a malicious extension to harvest tokens. A fix was released by Microsoft soon after disclosure.
This incident follows a trend where researchers publicly disclose vulnerabilities after poor experiences with prior reporting, raising concerns over responsible disclosure practices and security research.