Critical GitHub Token Stealing Bug Exploits Web-Based Code Editors

Independent research disclosed a critical vulnerability in the github.dev web-based VSCode interface that allows malicious content in the webview to forge did-keydown events and simulate keyboard shortcuts to bypass publisher trust and install local extensions, enabling theft of OAuth tokens with full access to a user's repositories; this poses a significant supply-chain and credential-exfiltration risk to browser users of github.dev.