One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

Security researcher Ammar Askar disclosed a one-click attack against GitHub.dev/VS Code webviews that allows malicious webview JavaScript to simulate keypresses, open the Command Palette, and install an attacker-controlled extension (leveraging local workspace extensions to bypass trust prompts) to exfiltrate GitHub OAuth tokens; the tokens can be used to enumerate and access private repositories. Microsoft acknowledged the vulnerability and is working on a remediation; the issue does not affect VS Code Desktop.