Find notable cyber news and cases, enriched with sources, timelines, and signals.

Visual Studio Code VS Code token-theft zero-day security flaw

Vulnerability
First reported
Last updated
Happening score
H score 44
2 unique sources, 2 articles

Summary

Hide ▲

A Visual Studio Code (VS Code) zero-day lets attackers steal GitHub OAuth tokens by abusing the editor's sandboxed webview message-passing system. The flaw is especially risky for github.dev users because a malicious link can install an extension that runs JavaScript, simulates keypresses, and extracts the token. With that token, an attacker can query the GitHub API and enumerate private repositories the victim can access. The vulnerability is unpatched and has no CVE ID yet.

Related Happenings

Cursor Windows repo-root git.exe code execution security flaw

Vulnerability
H score9 First: 15.07.2026 13:55 Last: 15.07.2026 13:55 Sources 1

About this happening: Cursor on Windows automatically runs a repo-root git.exe when a repository is opened, creating arbitrary code execution as the logged-in user. The flaw affects cloned...

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: GitHub Agentic Workflows has an indirect prompt injection flaw that can let a public issue leak content from private repositories into public comments. The risk is...

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: Anthropic's Claude Code GitHub Action had a trigger-check bypass that let a malicious GitHub issue escalate into repository takeover for vulnerable public reposito...

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: Miasma is a supply-chain campaign that began in Red Hat's @redhat-cloud-services npm namespace and later expanded across npm, PyPI, the Go ecosystem, and Git...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: Malware-Slop is distributing mouse5212-super-formatter, a malicious npm package that steals local files from Anthropic's Claude workspace directory /mnt/user-dat...

Timeline

  1. 03.06.2026 15:58 1 articles · 1mo ago

    Microsoft acknowledges VS Code GitHub.dev token-theft flaw

    Mitigation Patch Update

    Microsoft has acknowledged a Visual Studio Code vulnerability that can let an attacker use a crafted link and malicious webview message-passing to steal a victim's GitHub OAuth token via GitHub.dev, and said it is working on a fix; Microsoft also said the issue does not affect VS Code Desktop.

    Show sources
  2. 03.06.2026 09:50 2 articles · 1mo ago

    VS Code zero-day exploit code steals GitHub OAuth tokens

    Initial Disclosure

    A security researcher releases exploit code for a Visual Studio Code zero-day that steals GitHub authentication tokens when a user clicks a crafted link, abusing VS Code's sandboxed webview message-passing system to run malicious JavaScript, simulate keypresses, install an extension, and extract GitHub OAuth tokens passed to github.dev so the attacker can enumerate private repositories the victim can access. The flaw is unpatched and has not been assigned a CVE ID yet.

    Show sources