June 2, 2026
Commit history or crime history?
1-Click GitHub Token Stealing via a VSCode Bug
One click could expose your private code — and commenters are furious at Microsoft
TLDR: A researcher says one malicious click in GitHub’s browser-based editor could expose a powerful account key that unlocks private code. Commenters were split between praising the warning and blasting Microsoft’s security handling, with many saying the app never should have had that much access in the first place.
Tech people love a clever hack story, but this one landed with a full-on comment section meltdown. The big reveal: a researcher says simply clicking a link could let an attacker grab a GitHub access key from the browser version of VS Code, the popular code editor. In plain English, that key could let someone peek at — and even change — your code projects, including private ones. That's the kind of sentence that makes developers sit up, spill coffee, and start changing passwords.
But the real fireworks were in the reactions. A lot of commenters weren’t just shocked by the bug — they were mad about the response. One person praised the researcher for sticking with it and trying to push for better security instead of walking away. Others went straight for the throat, calling Microsoft’s security response team “classic” and accusing it of quietly fixing issues without giving researchers proper credit or urgency. The hottest take? That the browser editor shouldn’t be logged into GitHub so deeply in the first place. As one commenter basically put it, giving a web app that much power is like leaving a master key out in the open and hoping nobody notices.
And yes, the gallows humor arrived right on schedule. One commenter joked the researcher might get “blacklisted by Microsoft,” while another dropped a Primeagen video like it was courtroom evidence. The mood was a mix of alarm, cynicism, and popcorn-grabbing drama: scary bug, messy disclosure, and a comment thread that reads like a tech scandal group chat.
Key Points
- •The article claims that clicking a link can allow an attacker to steal a GitHub token from the github.dev browser-based VSCode environment.
- •keyPoint: GitHub’s github.dev feature opens a lightweight VSCode instance in the browser for repositories a user can access.
- •The article states that github.com sends an OAuth token to github.dev so the editor can act on the user’s behalf.
- •According to the article, the token is not limited to a single repository and can access all repositories available to the user, including private ones.
- •The article explains that VSCode uses cross-origin webviews and Window.postMessage() for isolated rendering and communication, and presents this architecture as relevant to the reported exploit.