New GitHub Zero-Day Exposed Developer Tokens to Attackers

New GitHub Zero-Day Exposed Developer Tokens to Attackers

New GitHub Zero-Day Exposed Developer Tokens to Attackers

Image: ChatGPT

A github.dev flaw could let attackers steal GitHub OAuth tokens through a one-click attack, exposing private repositories and codebases.

Jun 4, 2026

A single click on the wrong repository could have put a developer’s GitHub access at risk.

Security researcher Ammar Askar disclosed a zero-day vulnerability in github.dev, GitHub’s browser-based VSCode environment, that could expose GitHub OAuth tokens through a flaw in VSCode webviews. Those tokens could give attackers access to repositories and organizational code available to the affected developer.

Microsoft introduced mitigations on June 3, according to Askar’s disclosure timeline, but the bug is a sharp reminder of how much trust modern development workflows place in browser-based coding tools.

Understanding how the vulnerability works

VSCode is a desktop coding tool owned by Microsoft, the same company that owns GitHub, a code management platform. Over time, Microsoft has tightly integrated both tools to make moving between coding and code management seamless.

One example is github.dev, a browser-based version of VSCode that lets developers open and edit repositories directly from GitHub using GitHub OAuth credentials. According to security researcher Ammar Askar, trusted integration is what made the vulnerability possible.

Askar notes that the attacker begins by tricking a developer into opening a compromised repository using github.dev. The repository, in turn, loads a malicious extension into the workspace.

The issue stems from the way the extension communicates with VSCode via a webview. According to Askar, a bug in github.dev’s webview allowed a malicious extension to escape the sandbox and steal GitHub tokens, enabling an attacker to impersonate the developer.

Beyond having read access, the attacker could also gain write access to available repositories. That could let them delete codebases, clone private repositories, or push malicious code to production software.

For a better understanding of how this works, refer to the proof-of-concept Askar dumped.

Must-read security coverage

How developers can stay safe

Aside from being careful with the repositories they open, developers can also protect against this vulnerability by clearing cached data for github.dev.

To do that:

  • Click Site Settings from your URL bar
  • Click on cookies and site data
  • Click Delete data

The exact steps for this will depend on your browser.

The vulnerability was not left unaddressed for long. Askar’s disclosure timeline shows that GitHub received an hour’s notice before publication, with Microsoft introducing an initial safeguard on June 3 and following it up with a broader fix later that day. That response reduces the immediate risk, but the disclosure highlights how valuable GitHub authentication tokens can be if stolen.

Also read: Grafana refused a ransom demand after attackers used a stolen GitHub token to download code from private repositories.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.