Github

🟠 High | Source: The Hacker News A one-click attack targeting GitHub.dev, the browser-based VS Code environment, allows an attacker to steal a victim’s GitHub OAuth token simply by having them click a crafted link. The stolen token grants full read and write access to both public and private repositories. This is particularly dangerous because it requires no malware installation and exploits a legitimate GitHub feature. Architect’s Take: Audit OAuth token scopes granted to GitHub.dev within your organisation and consider enforcing fine-grained personal access tokens with minimal repository permissions instead of broad OAuth tokens. Ensure developer awareness training covers the risk of clicking unsolicited GitHub.dev links, and review whether your GitHub organisation policies can restrict OAuth app access. ...

🟠 High | Source: The Hacker News A one-click attack targeting Microsoft VS Code’s GitHub.dev feature allows an attacker to steal a victim’s GitHub OAuth token simply by tricking them into clicking a crafted link. The stolen token grants read and write access to all repositories the victim can access, including private ones. This poses a significant supply chain risk, as compromised tokens could be used to inject malicious code into codebases. ...