VS Code zero-day lets hackers steal GitHub tokens in one click

A security researcher published a proof-of-concept for a Visual Studio Code zero-day that allows attackers to trick users into installing malicious extensions which steal GitHub OAuth tokens via github.dev's webview messaging; the stolen tokens can be used to access and enumerate private repositories. The flaw was publicly disclosed without an available patch, and mitigations include clearing github.dev cookies and local site data to force a sign-in warning.