Researcher Drops a New VS Code Zero-Day After Losing Trust in Microsoft’s Disclosure Process

A security researcher publicly released a proof-of-concept for a VS Code zero-day affecting github.dev that can steal GitHub OAuth tokens valid across all repos a user can access. The attack leverages a modified .vscode/extensions.json to recommend a malicious extension and uses hidden HTML inside a Jupyter Notebook to auto-approve installation, allowing stealthy token exfiltration and repository access; the researcher abandoned coordinated disclosure due to prior negative interactions with Microsoft's security response.