A security researcher has published details of a zero‑day flaw in Visual Studio Code that allows the theft of GitHub authentication tokens.
The vulnerability exists in the web based editor github.dev where a malicious Jupyter notebook can trigger installation of a rogue extension that reads the token stored in the browser’s local storage. No CVE identifier has been assigned to the issue at this time.
When a user opens the compromised notebook in github.dev the crafted code runs in the VS Code webview context, granting it the same privileges as the legitimate editor and allowing it to query the GitHub token API. The attacker can then exfiltrate the token to an external server for misuse.
Although no threat actors have been observed exploiting the flaw in the wild the researcher chose full disclosure after previous reports to Microsoft were allegedly ignored. Microsoft issued a patch shortly after the blog post went live, adding to the ongoing debate over responsible disclosure when researchers lose faith in vendor processes.
Users should clear the application storage for github.dev in their browser settings, avoid opening notebooks from unknown sources and keep their VS Code installation up to date. Organisations are encouraged to rotate any GitHub tokens that may have been exposed and to adopt short‑lived tokens or token‑based authentication with limited scopes.
Security teams should monitor authentication logs for unusual API calls from unfamiliar IP addresses and consider adding behavioural alerts for sudden spikes in token usage. Maintaining an open channel with bug bounty programmes can help prevent future loss of trust.