What the researcher found

Security researcher Ammar Askar published a technical write-up describing a one-click attack path that can extract a GitHub OAuth token from a developer's local machine using nothing more than a malicious VS Code workspace file.

The mechanism, as Askar describes it, abuses how the GitHub Pull Requests and Issues extension — an official Microsoft extension with tens of millions of installs — processes certain URI (Uniform Resource Identifier) callbacks. A URI callback is a redirect mechanism extensions use to receive data from external services, including authentication responses from GitHub's OAuth flow.

Askar's proof-of-concept demonstrates that a crafted workspace file can invoke one of these callbacks in a way that causes the extension to forward a stored authentication token to an attacker-controlled endpoint. The user's required action: open the file.

Why Workspace Trust doesn't close the gap

VS Code introduced Workspace Trust in 2021 as a way to limit what code and configuration can execute when a folder is opened from an untrusted source. It is the primary user-facing control for this category of risk.

According to Askar's write-up, the attack path he identified is not fully blocked by Workspace Trust in its default configuration. The specific extension behavior that enables the token theft is, he argues, reachable even when the workspace is marked untrusted. This is the technically significant claim in the research — and it is the one that most warrants independent verification and a vendor response.

What is actually at risk

A GitHub OAuth token is a credential. Depending on the scopes granted when the token was issued, an attacker who obtains one could read private repositories, interact with issues and pull requests, or take actions on behalf of the authenticated user within those permission boundaries.

The research does not claim — and this article does not assert — that any tokens have been stolen in the wild. The distinction between a demonstrated proof-of-concept and an actively exploited vulnerability matters, and it is worth holding until Microsoft or GitHub publishes a formal advisory.

Who carries the most practical risk

Developers who routinely clone repositories from unfamiliar sources, open workspace files shared over chat or email, or work in environments where untrusted code regularly passes through their local machine are most exposed to this class of attack.

The attack requires the target to open a file — it is not a remote code execution vulnerability that operates without user interaction. That is a meaningful constraint, though not a reason for complacency given how normalized opening workspace files is in developer workflows.

What to watch for

Neither Microsoft nor GitHub had published a public advisory at the time this article was prepared. Developers should monitor the official VS Code release notes and the GitHub Security Advisories feed for a patch or mitigation guidance. Revoking and reissuing GitHub tokens is a low-friction precaution available now through GitHub's token management settings, regardless of whether a patch has shipped.