GitHub browser VSCode flaw risks stolen developer tokens
🛡️ A researcher disclosed a vulnerability in GitHub’s browser-based VSCode (github.dev) that could allow an attacker to obtain a developer’s OAuth token and access any repos the developer can reach. The issue involves github.com POSTing a broad-scoped token to github.dev and a bypass in Jupyter notebook-based extension installation that can exfiltrate the token. Microsoft implemented a short-term mitigation requiring notebook confirmation and restoring the trusted-publisher check.
