GitHub passed unscoped OAuth tokens to the VSCode browser instance, allowing attackers to access all private repositories of a developer via manipulated Jupyter Notebook extensions.
An active debug flag in Microsoft 365 Android apps allowed arbitrary apps on the device to steal authentication tokens and take over user accounts completely.
Attackers have infected a popular npm package (codexui-android, ~27,000 weekly downloads) with malware that steals long-lived OpenAI tokens while successfully evading code audits and Google Play reviews.