InfoSecBulletin Cybersecurity for mankind
A serious security flaw in Visual Studio Code’s webview lets attackers take GitHub OAuth tokens. This includes read/write access to private repositories. They can do this by luring a victim to click a harmful link. The bug was made public on June 2, 2026, by security researcher Ammar Askar.
VSCode’s Webview Security Model
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
VSCode isolates potentially untrusted content using webviews <iframe> elements served from a separate vscode-webview:// origin, distinct from the main editor’s vscode-file:// origin.
This cross-origin isolation stops webview JavaScript from calling VSCode’s Node.js or editor APIs directly. Things like Markdown previews and Jupyter notebook outputs show up inside these sandboxed iframes.
To help the editor and webviews talk to each other, VS Code uses the Window.postMessage() API. It sends structured JavaScript objects between the two separate origins.
To make using VSCode better, its webview setup has an event handler for key presses. This sends every keyboard event from the webview to the main VSCode window using postMessage. This way, shortcuts like Ctrl+Shift+P work smoothly even if a user is in the webview.
Untrusted JavaScript in a webview can create fake keydown events, simulating user keyboard input. The security boundary meant to separate “Dangerous APIs” from “Untrusted User Content” is compromised, as the postMessage channel for keyboard forwarding unintentionally links them.
Exploit Chain: From Click to Token Exfiltration
Security researcher Ammar Askar shared a complete proof-of-concept on June 2, 2026. It shows a full token-steal attack. The attack uses five linked VSCode actions:
Jupyter Notebook can be exploited through malicious .ipynb files that utilize an HTML image tag with an onerror handler to execute arbitrary JavaScript within a webview iframe. Similarly, in Visual Studio Code (VSCode), attackers can leverage the .vscode/extensions.json file, which typically recommends extensions.
The payload waits for a recommendation notification from VSCode and then dispatches a synthetic Ctrl+Shift+A keydown event, which corresponds to the “Notifications: Accept Notification Primary Action” command, enabling silent installation of the malicious extension.
Instead of installing from the Marketplace, where a publisher trust dialog would be prompted, the attacker can directly insert the malicious extension into the .vscode/extensions/ directory.
This method enables the extension to bypass the trusted publisher check and depend exclusively on workspace trust, a feature that ensures github.dev workspaces are always considered trusted. Because of limitations set by Content Security Policies, local extensions can only load their worker scripts from vscode-cdn.net.
To overcome this limitation, the attacker can introduce a custom keybinding (such as Ctrl+F1) through package.json, which calls the workbench.extensions.installExtension function while setting skipPublisherTrust to true.
Once installed, the malicious extension gains access to the preloaded GitHub OAuth token and can send requests to https://api.github.com/user/repos to list all available private repositories, ultimately exfiltrating both the token and the repository list.
The full JavaScript payload executes in well under a minute and requires zero interaction beyond the initial link click.
The vulnerability impacts github.dev, the browser-based version of VSCode, as well as the desktop variant; however, the desktop version necessitates that the victim clone and open the attacker’s repository.
On desktop, a successful exploit achieves full Remote Code Execution (RCE) since VSCode extensions have unrestricted access to Node.js APIs, including child_process. Click here to read out the full report.
