Executive Summary
A critical zero-day vulnerability has been identified in Visual Studio Code (VS Code) and its browser-based counterpart, github.dev, which enables attackers to steal GitHub OAuth tokens with a single click. This vulnerability, actively exploited in the wild, has resulted in a significant breach at GitHub, where attackers accessed approximately 3,700 internal repositories. The attack leverages the VS Code extension system and the OAuth token flow between github.com and github.dev, allowing malicious actors to enumerate and exfiltrate all repositories accessible to the victim. The exploit is notable for its minimal user interaction requirement and its ability to bypass traditional sandboxing mechanisms, highlighting a severe supply chain risk for organizations relying on VS Code and its extensions.
Technical Information
The vulnerability is rooted in the way VS Code handles extension webviews and OAuth token flows. Specifically, the attack exploits the message-passing system between sandboxed webviews and the main editor context. By crafting a malicious extension or link, an attacker can execute arbitrary JavaScript within the main editor, simulating user actions to install further malicious extensions. Once installed, these extensions intercept the OAuth token transmitted from github.com to github.dev during authentication.
The OAuth token in question is not limited to a single repository; instead, it grants access to all repositories the authenticated user can access. This broad scope dramatically increases the potential impact of a successful attack, as a single compromised token can be used to enumerate and exfiltrate all accessible repositories via the GitHub API.
The technical flow of exploitation is as follows: a user is enticed to click a malicious link or install a compromised extension. The extension abuses the webview’s message-passing system to break out of the sandbox and execute code in the main editor context. This code simulates keypresses or leverages extension APIs to install another extension, which then intercepts the OAuth token during the authentication process with github.dev. The attacker then uses this token to access and exfiltrate repository data.
A proof-of-concept demonstrating this attack was publicly released by security researcher Ammar Askar, underscoring the ease with which this vulnerability can be weaponized. The exploit requires only a single click from the victim, making it highly effective in phishing and social engineering campaigns.
The vulnerability is not tied to a specific version of VS Code but rather to the extension system and the auto-update mechanism. Any VS Code installation with auto-update enabled is potentially vulnerable, as malicious extensions can be rapidly distributed and installed without user intervention.
The most prominent exploitation involved the Nx Console extension (version 18.95.0), which was briefly available on both the Visual Studio Marketplace and OpenVSX. The malicious extension contained 2,777 bytes of minified JavaScript, which fetched a 498 KB obfuscated dropper from an orphan commit in the official nrwl/nx repository. This dropper facilitated the exfiltration of OAuth tokens and subsequent repository data.
Indicators of compromise include the presence of the malicious Nx Console extension, unexpected outbound connections from VS Code extensions, unusual repository access logs, and the installation of unauthorized extensions. Organizations should also be alert to any anomalous activity in their GitHub environments, particularly involving repository enumeration or data exfiltration.
Exploitation in the Wild
The most significant exploitation of this vulnerability occurred at GitHub, where attackers leveraged a poisoned VS Code extension to compromise an employee’s machine. The malicious Nx Console extension (version 18.95.0) was uploaded to the Visual Studio Marketplace at 12:30 UTC and unpublished at 12:47 UTC, resulting in an 18-minute exposure window. During this time, any machine with auto-update enabled could have automatically installed the compromised extension. The extension was also distributed via OpenVSX for 36 minutes, further increasing the potential victim pool.
The attackers used a previously stolen GitHub token to publish the malicious extension, demonstrating a sophisticated supply chain attack. Once installed, the extension exfiltrated OAuth tokens and enabled the attackers to access approximately 3,700 internal repositories at GitHub. This breach underscores the cascading risks associated with compromised developer tools and the importance of securing the software supply chain.
Other supply chain attacks have targeted popular extensions such as AsyncAPI (compromised in November 2025), using stolen credentials to push malicious updates that auto-install on millions of machines. These incidents highlight the systemic risk posed by the extension ecosystem and the need for robust controls around extension publishing and updating.
APT Groups using this vulnerability
As of the latest intelligence, there is no direct attribution of this vulnerability’s exploitation to a specific Advanced Persistent Threat (APT) group. However, the tactics, techniques, and procedures (TTPs) observed align closely with those employed by known supply chain and credential theft actors. The use of supply chain poisoning, credential theft, abuse of auto-update mechanisms, JavaScript payload obfuscation, and orphan commits for payload hosting are all hallmarks of sophisticated threat actors.
Relevant MITRE ATT&CK techniques include T1195 (Supply Chain Compromise), T1552 (Unsecured Credentials), T1078 (Valid Accounts), and T1086 (PowerShell, for post-exploitation activities). While no APT group has claimed responsibility, organizations should remain vigilant, as these TTPs are commonly used by state-sponsored and financially motivated actors targeting the software supply chain.
Affected Product Versions
The vulnerability affects all versions of Visual Studio Code (desktop) with extension auto-update enabled as of May 18, 2026. The browser-based github.dev is also affected in all versions as of the same date, due to the OAuth token flow and extension system. The malicious Nx Console extension (version 18.95.0) was available on the Visual Studio Marketplace from 12:30 UTC to 12:47 UTC and on OpenVSX from 12:33 UTC to 13:09 UTC on May 18, 2026. Any installation of Nx Console with auto-update enabled during these windows is considered compromised.
Other extensions, such as AsyncAPI (version 1.0.1, compromised in November 2025), have also been targeted in similar attacks. The general risk extends to any popular extension with auto-update enabled, particularly if publisher credentials are compromised.
Workaround and Mitigation
Immediate actions for organizations include rotating all credentials, tokens, and SSH keys on machines where the malicious Nx Console extension or other affected extensions were installed during the exposure window. It is critical to review GitHub access logs for unauthorized activity and to remove the malicious extension, updating to a clean version as soon as possible.
From an organizational perspective, disabling automatic extension updates in VS Code where feasible can reduce the risk of rapid propagation of malicious extensions. Implementing the extensions.allowed enterprise policy allows organizations to restrict which extensions and publishers can be installed, providing an additional layer of control. Monitoring for new extension versions and instituting a cooldown period before deployment (such as a 48-hour hold) can help detect and prevent the installation of compromised extensions.
Educating developers about the risks associated with auto-updating extensions and supply chain attacks is essential. Regular audits of installed extensions and vigilant monitoring for anomalous activity in development environments are recommended best practices.
References
BleepingComputer: VS Code zero-day lets hackers steal GitHub tokens in one click
Aikido: The Wild West of VS Code extensions and how a poisoned extension breached GitHub
Reddit: 1-Click GitHub Token Stealing via a VSCode Bug
Cycode: Exposing VSCode Secrets
NVD: National Vulnerability Database (for future CVE assignment)
Rescana is here for you
At Rescana, we understand the critical importance of securing your software supply chain and development environments. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate risks associated with vendors, open-source components, and software dependencies. We are committed to providing actionable intelligence and expert guidance to help you stay ahead of emerging threats. For any questions or further assistance, please contact us at ops@rescana.com.
