Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures

A security researcher published a proof-of-concept showing how attackers can abuse github.dev and VS Code Workspace Recommendations to push a malicious extension that auto-accepts its install (via a Jupyter Notebook Webview trick) and steals OAuth tokens, enabling access to any public or private GitHub repos the victim can access; the author publicly released the PoC after dissatisfaction with Microsoft’s handling of vulnerability reports.