VS Code Vulnerability Allows One-Click GitHub Token Theft

A researcher has disclosed the full details of the vulnerability and released a PoC without notifying Microsoft in advance. The post VS Code Vulnerability Allows One-Click GitHub Token Theft appeared first on SecurityWeek .

SecurityWeek reports a vulnerability in VS Code / github.dev where a researcher publicly disclosed full details and a proof-of-concept that enables one-click theft of GitHub OAuth tokens, without prior disclosure to Microsoft.[2][3][8] These tokens can grant read/write access to private repositories and broader developer resources, enabling code tampering, data exfiltration, and downstream supply-chain compromise for any systems (including AI systems) that depend on that code.[2][3] From a CyberSE.AI perspective, this is an AI supply chain risk because compromised GitHub tokens can be used to alter AI models, prompts, agents, or pipelines stored in affected repos, inject malicious logic, or exfiltrate proprietary AI assets without directly attacking the AI system itself. Organizations should harden developer environments, enforce least-privilege and time-bound GitHub tokens, and include VS Code / github.dev and extension usage in AI-focused SBOM, supply-chain reviews, and continuous security monitoring.