Skip to main content
Back to Blog
VS Code Zero-Day Lets Attackers Steal GitHub Tokens in One Click
CVEJun 5, 20264 min read

VS Code Zero-Day Lets Attackers Steal GitHub Tokens in One Click

A security researcher has published working exploit code for a zero-day vulnerability in Visual Studio Code that can steal a developer's GitHub authentication token with a single click, according to a BleepingComputer report published June 3, 2025. No patch is currently confirmed as available at the time of writing.

What Happened

The vulnerability exists in Visual Studio Code, the dominant code editor used by millions of developers worldwide. A researcher released public proof-of-concept exploit code demonstrating that an attacker can craft a malicious link which, when clicked by a VS Code user, silently extracts the GitHub authentication token stored within the editor.

GitHub tokens stored in VS Code are used to authenticate to repositories, GitHub Copilot, and related services. Because the exploit requires only a single click from the victim and the attack vector is a link (which could arrive via email, chat, a code comment, or a fake website), the bar for exploitation is very low. The researcher's decision to publish exploit code means the technique is now accessible to a wide range of threat actors, not just sophisticated ones.

Why This Matters to Small Teams

For solo developers and small startups, a GitHub token is effectively a master key. It can grant read and write access to every private repository tied to that account. An attacker who steals your token could exfiltrate proprietary source code, inject malicious code into your codebase, tamper with CI/CD pipeline scripts, or pivot to cloud credentials and API keys that are stored as repository secrets.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

Small teams are often more exposed than large organizations because they lack automated secret scanning, security monitoring, or token rotation policies. Many developers also grant broad scopes to their personal GitHub tokens out of convenience, meaning a stolen token has maximum blast radius. If your product ships to customers, a compromised repository is not just a technical problem: it becomes a supply chain risk for everyone who installs or uses your software.

The one-click nature of this exploit is also significant for the way modern developers work. Clicking links in pull request comments, Slack messages, Discord servers, and documentation is a normal part of the job. Attackers can embed a malicious link anywhere a developer might plausibly encounter it, making phishing-style delivery trivial without any traditional phishing red flags.

How to Stay Protected

  1. Revoke and rotate your GitHub tokens now. Go to GitHub Settings, then Developer Settings, then Personal Access Tokens, and revoke any token you do not actively need. For tokens you do need, regenerate them and note the new values.

  2. Apply the principle of least privilege to token scopes. When creating new tokens, grant only the specific permissions required. Avoid tokens with full repository access unless absolutely necessary. Prefer fine-grained personal access tokens over classic tokens.

  3. Update VS Code immediately. Check for updates via Help, then Check for Updates. Once Microsoft releases a patch addressing this vulnerability, installing it promptly is your primary technical mitigation.

  4. Audit repository secrets. Review your GitHub Actions secrets, Codespaces secrets, and any secrets stored in .env files committed to your repo. Use GitHub's built-in secret scanning if you are on a plan that supports it.

  5. Be skeptical of unsolicited links, even in technical contexts. Do not click links in pull request comments, issues, or chat messages from unknown parties without verifying the destination. This is especially relevant while a working exploit is publicly available.

  6. Enable GitHub security alerts and monitor token usage. Turn on GitHub's security and analysis features for your repositories. Review your account's active sessions and authorized OAuth apps regularly to spot unauthorized access early.

How UNPWNED Helps

UNPWNED scans your web properties for exposed secrets, misconfigured headers, and other common security gaps that attackers exploit after gaining initial access. While UNPWNED does not scan your local VS Code installation, our scanner can detect publicly exposed credentials and sensitive data in your web-facing assets, helping you identify if a compromised token has already led to leaked secrets appearing in your application or API endpoints. Running a scan after rotating your credentials is a practical way to confirm nothing sensitive was left exposed.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.

Source

BleepingComputer

Discussion (0)

Leave a comment

Comments are moderated. Be respectful. Spam and self-promotion will be removed.

Is your site exposed to issues like these?

SCAN YOUR SITE FREE