VS Code Zero-Day Exposes GitHub Tokens as Supply-Chain Attacks Breach 3,800 Internal Repositories
Unpatched OAuth vulnerability allows single-click credential theft while poisoned extension compromises GitHub's own infrastructure in 18 minutes.
A critical zero-day vulnerability in VS Code’s GitHub integration allows attackers to steal OAuth tokens with a single click, granting full read-write access to all repositories a user can reach — while a separate supply-chain breach already compromised GitHub’s internal systems through a poisoned extension that achieved 2.2 million installations in 18 minutes.
Security researcher Ammar Askar disclosed the VS Code vulnerability on 2 June 2026, revealing a chain of exploitable behaviors in github.dev’s webview implementation. The flaw remains unpatched as of today, with no CVE assigned and Microsoft yet to respond publicly, according to BleepingComputer. The vulnerability stems from how github.dev automatically POSTs OAuth tokens to browser-based VS Code instances — tokens that lack scoping and grant attackers complete repository access rather than limiting permissions to a single project.
The timing exposes a broader crisis: GitHub itself fell victim to precisely this class of supply-chain attack two weeks earlier. On 18 May 2026, threat actor TeamPCP (tracked by security firms as UNC6780) deployed a malicious version of Nx Console — a verified VS Code extension with 2.2 million installations — that harvested credentials from 1Password, Anthropic Claude, npm, GitHub, and AWS during an 18-minute window before removal, per The Hacker News. That breach exposed approximately 3,800 of GitHub’s internal repositories between 18-20 May.
How the VS Code Exploit Works
The attack exploits a fundamental architectural decision in github.dev. When users open repositories in the browser-based editor, GitHub POSTs OAuth tokens to the webview to enable API interactions. CybersecurityNews details how attackers can chain five VS Code behaviors: opening a malicious Jupyter notebook triggers automatic code execution, simulates keyboard events to open github.dev URLs, and extracts the unscoped token from the webview’s message-passing layer.
“This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf.”
— Ammar Askar, Security Researcher
The stolen tokens grant access to every repository the victim can reach — not just the repository they opened. For developers with access to enterprise organisations or open-source projects with sensitive CI/CD configurations, this represents immediate supply-chain risk. The vulnerability affects desktop VS Code through the same webview mechanism, with potential escalation to remote code execution on the victim’s machine, according to CyberPress.
The Nx Console Breach: 18 Minutes to Complete Compromise
TeamPCP’s execution demonstrates surgical precision. The malicious Nx Console update appeared identical to the legitimate extension but silently executed a shell command disguised as routine MCP setup, downloading a hidden package from a planted commit in the official nrwl/nx repository. “The extension looked and behaved like normal Nx Console, but on startup it silently ran a single shell command that downloaded and executed a hidden package,” explained Nir Zadok of OX Security in The Hacker News.
GitHub Chief Information Security Officer Alexis Wales stated the breach was contained to internal repositories: “We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customer’s own enterprises, organizations, and repositories.” GitHub rotated critical secrets on 19 May, the same day the breach was detected. TeamPCP later listed the stolen data for sale on cybercrime forums for more than $50,000, according to Sophos.
Auto-Update Mechanism Creates Push Channel for Attackers
The Nx Console breach exploited a structural weakness in extension marketplaces: auto-update without review gates. “Auto-update gives an attacker who controls a release a direct push channel into every machine running that extension. Marketplaces don’t impose any review gate or waiting period between when an update is published and when installed clients pull it in,” noted Raphael Silva of Aikido Security in reporting by The Hacker News.
This architecture allowed the malicious version to reach 2.2 million installations in 18 minutes before removal at 12:48 UTC on 18 May. The CISA added CVE-2026-48027 to its Known Exploited Vulnerabilities catalog on 27 May, requiring federal agencies to patch by 10 June. TeamPCP’s attack pattern shows cross-ecosystem credential reuse: credentials stolen from an earlier TanStack npm compromise enabled the Nx Console breach, which then provided access to GitHub’s internal infrastructure, per Varonis.
The Nx Console breach represents the third major GitHub-adjacent compromise in six weeks. A TanStack npm package compromise affected OpenAI, Grafana, and Mistral in April, followed by CVE-2026-3854 (a critical RCE flaw) later that month. The VS Code zero-day disclosure on 2 June came 15 days after the Nx Console breach was contained, indicating attackers are shifting from direct platform attacks to developer toolchain exploitation.
Disclosure Timeline Raises Coordination Questions
Askar provided GitHub only one hour of advance notice before publishing the VS Code vulnerability. In comments to BleepingComputer, he cited a prior negative experience with Microsoft Security Response Center’s handling of a VS Code vulnerability, which was silently patched without researcher credit. The abbreviated disclosure window means millions of developers remain exposed while Microsoft develops a patch — no timeline has been provided for remediation as of today.
The vulnerability’s technical details are now public, including proof-of-concept code demonstrating the token extraction mechanism. Enterprise security teams face immediate risk assessment: any developer with access to private repositories or CI/CD systems who uses VS Code’s github.dev integration could serve as an entry point for supply-chain attacks. The OAuth tokens lack expiration and maintain full access until manually revoked.
What to Watch
Microsoft and GitHub have not announced a patch timeline for the VS Code OAuth vulnerability. Security teams should immediately audit which developers have used github.dev in the past 30 days and review access logs for anomalous repository reads. Token rotation for affected accounts requires manual revocation through GitHub’s security settings — no automated remediation exists.
The Nx Console breach’s 10 June CISA deadline for federal agencies will test whether GitHub’s extension marketplace implements review gates for verified publisher updates. Current marketplace architecture allows verified publishers to push updates with zero review latency, the same mechanism TeamPCP exploited. Whether Microsoft implements scoped OAuth tokens for github.dev — limiting access to single repositories rather than granting org-wide permissions — will signal if the company treats this as an architectural failure or isolated vulnerability.
TeamPCP’s pattern of credential reuse across npm, VS Code extensions, and GitHub suggests further breaches may emerge as researchers audit credential stores in other Developer Tools. The threat actor’s ability to maintain access to GitHub’s internal repositories for 48 hours before detection indicates defensive gaps that extend beyond the Nx Console vector alone.