VS Code Zero-Day Exposes GitHub Tokens in One Click — Exploit Code Is Public
A working exploit for an unpatched Visual Studio Code vulnerability is now public, and it does something particularly damaging: steal GitHub authentication tokens with a single click from the victim.
What Happened
A security researcher has released proof-of-concept exploit code for a zero-day flaw in VS Code that silently exfiltrates GitHub tokens stored in the editor's credential manager. The attack vector is alarmingly simple — the victim clicks a crafted link, and the token is gone. No malicious extension, no elevated privileges, no multi-step interaction required. As BleepingComputer reports, the PoC is already publicly available, meaning any threat actor can weaponize it immediately. Delivery vectors are obvious: phishing emails, malicious links in GitHub issues or pull request comments, README files in compromised repos, Discord messages.
Why This Matters
VS Code is the dominant editor for developers globally. The credential it targets — the GitHub authentication token — is effectively a master key. A stolen token can provide full read/write access to every repository the user can reach, including private and organization repos. It can be used to inject malicious code into CI/CD pipelines, backdoor automated build and deployment workflows, and create persistent supply chain footholds across dozens of projects. Classic GitHub tokens don't expire by default, and token use doesn't trigger the same alerting that a new login event might. Attackers who grab one quietly can hold it for weeks.
Public PoC code collapses the window between disclosure and weaponization to essentially zero. This is no longer a "patch soon" situation. Developers who routinely click links in documentation, issue trackers, and PR comments are in the direct firing line.
What to Do Right Now
There is no patch yet. Until Microsoft ships a fix, take these steps immediately:
1. Stop clicking untrusted links while VS Code is open. Any link from an unverified source — GitHub issues, emails, Slack, Stack Overflow — should be treated as potentially weaponized until a patch lands.
2. Rotate and scope your GitHub tokens. Go to GitHub Settings → Developer Settings → Personal Access Tokens and revoke anything with broader scope than strictly necessary. Issue replacements as fine-grained PATs scoped to specific repositories and permissions — this limits blast radius if a token is stolen.
3. Audit recent token activity. Check GitHub's audit log for unexpected repository clones, new OAuth app authorizations, or new deploy keys. Organization admins should enable audit log streaming or webhook alerts to surface anomalous token use quickly.
4. Consider temporarily signing out of GitHub in VS Code. Revoking VS Code's stored GitHub credential removes the target entirely. It's disruptive, but if your environment is high-value, it's the safest posture until a fix ships.
5. Enable VS Code auto-updates and watch for a patch. Microsoft typically delivers security fixes via the automatic update channel. Confirm "update.mode": "default" is set in your VS Code settings and check for a new release explicitly over the next 24–48 hours.
This vulnerability sits at the intersection of two things attackers love: ubiquitous tooling and high-value credentials. With public exploit code in the wild, treat this with the same urgency as an actively exploited CVE — because that is precisely what it is.
Synthesized by Claude · sanity-checked before publish.