The Point: A 0-Day in VSCode allows attackers to compromise GitHub tokens through user interaction, but was disclosed without responsible disclosure practices.
A security researcher has publicly disclosed a critical vulnerability in VSCode and GitHub without going through Microsoft Security Resource Center (MSRC) coordinated disclosure procedures. The flaw enables attackers to steal GitHub tokens with a single click.
A security researcher has publicly disclosed a critical one-click vulnerability in VSCode and GitHub. The flaw allows attackers to steal authenticated GitHub tokens by manipulating affected users into interacting with specially crafted content.
The researcher deliberately bypassed coordinated disclosure through the Microsoft Security Resource Center (MSRC). Through this practice, known as Responsible Disclosure or Coordinated Vulnerability Disclosure, Microsoft would have had time to develop and deploy a patch before public disclosure. The researcher’s decision to publish the vulnerability without this coordination leaves organizations immediately without patch protection.
For CISOs, this represents an immediate threat to developer and build environments using VSCode connected to GitHub. A compromised token allows attackers to manipulate code repositories, conduct supply-chain attacks, or escalate access. Organizations should immediately review their VSCode deployments, instruct users to exercise caution with suspicious links, configure GitHub tokens with minimal permissions, and enforce regular token rotation.
Source: borncity.com · Published June 3, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.