A one-click attack targeting Microsoft VS Code’s GitHub.dev feature allows an attacker to steal a victim’s GitHub OAuth token simply by tricking them into clicking a crafted link. The stolen token grants read and write access to all repositories the victim can access, including private ones. This poses a significant supply chain risk, as compromised tokens could be used to inject malicious code into codebases.

Architect’s Take: Enforce short-lived, scoped OAuth tokens across your organisation and audit any GitHub Apps or integrations permitted in VS Code. Consider restricting or monitoring use of GitHub.dev in your developer environment policy, and enable GitHub token scanning and push protection to limit the blast radius of any token compromise.

Original advisory: One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens