Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens

Microsoft patched a critical one-click attack in Visual Studio Code that allowed attackers to steal GitHub OAuth tokens from developers. Security researcher Ammar Askar disclosed the vulnerability, which exploited GitHub.dev functionality to extract authentication credentials without user awareness.

The attack worked by tricking developers into clicking a malicious link. Once clicked, the flaw enabled attackers to harvest GitHub tokens with read and write permissions to repositories, including private code repositories. This posed a direct threat to development environments, intellectual property, and any systems accessed through compromised Git credentials.

The vulnerability stemmed from improper handling of OAuth token handling between VS Code and GitHub.dev. Attackers could craft specially designed links that leveraged the integration between these services to bypass standard authentication prompts and directly access stored tokens. The one-click nature of the exploit made it particularly dangerous, as users had minimal opportunity to detect the attack before token compromise occurred.

Microsoft released a patch addressing the flaw after responsible disclosure by the security researcher. The fix tightened OAuth token handling procedures and added additional validation layers to prevent unauthorized token extraction. Organizations using VS Code for GitHub-integrated development workflows were advised to apply updates immediately.

The incident highlights the expanding attack surface created by interconnected development tools and authentication systems. GitHub tokens represent high-value targets for attackers seeking repository access, lateral movement within organizations, or supply chain compromise opportunities. Developers managing multiple projects and repositories face particular risk when using cloud-based development environments that integrate with external services.

Best practices for developers include enabling GitHub's token expiration policies, using fine-grained personal access tokens with minimal required permissions, and implementing hardware security keys or authenticator applications for multi-factor authentication on GitHub accounts. Organizations should also review token usage logs and implement detection for unusual authentication patterns indicative of compromised credentials.