Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Visual Studio Code VS Code token-theft zero-day security flaw

Vulnerability
First reported
Last updated
Happening score
H score 44
2 unique sources, 2 articles

Summary

Hide ▲

A Visual Studio Code (VS Code) zero-day lets attackers steal GitHub OAuth tokens by abusing the editor's sandboxed webview message-passing system. The flaw is especially risky for github.dev users because a malicious link can install an extension that runs JavaScript, simulates keypresses, and extracts the token. With that token, an attacker can query the GitHub API and enumerate private repositories the victim can access. The vulnerability is unpatched and has no CVE ID yet.

Related Happenings

Miasma GitHub and npm supply-chain campaign

Campaign
First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: A **Miasma** supply-chain campaign has spread through **GitHub** and **npm** abuse, compromising **309 GitHub repositories** and widening the risk of credential theft across devel...

Open Happening

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

Rwl.angular-console (Nx Console) hit by network compromise

Incident
First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 03.06.2026 15:58 1 articles · 6h ago

    Microsoft acknowledges VS Code GitHub.dev token-theft flaw

    Mitigation Patch Update

    Microsoft has acknowledged a Visual Studio Code vulnerability that can let an attacker use a crafted link and malicious webview message-passing to steal a victim's GitHub OAuth token via GitHub.dev, and said it is working on a fix; Microsoft also said the issue does not affect VS Code Desktop.

    Show sources
    Open in new tab
  2. 03.06.2026 09:50 2 articles · 12h ago

    VS Code zero-day exploit code steals GitHub OAuth tokens

    Initial Disclosure

    A security researcher releases exploit code for a Visual Studio Code zero-day that steals GitHub authentication tokens when a user clicks a crafted link, abusing VS Code's sandboxed webview message-passing system to run malicious JavaScript, simulate keypresses, install an extension, and extract GitHub OAuth tokens passed to github.dev so the attacker can enumerate private repositories the victim can access. The flaw is unpatched and has not been assigned a CVE ID yet.

    Show sources
    Open in new tab