VS Code Vulnerability Allows One-Click GitHub Token Theft

Ammar Askar disclosed a VS Code vulnerability that allows attackers to steal GitHub tokens via a specially crafted Jupyter notebook. When opened on github.dev, the notebook triggers a VS Code environment that retrieves a GitHub OAuth token with full access to all user repositories. The vulnerability was disclosed on June 2 and patched by Microsoft on June 3. GitHub.dev uses OAuth tokens to allow code editing in a browser sandbox without restricting token scope to individual repos.