One-click GitHub OAuth-token theft via github.dev, full-disclosed with PoC; Microsoft patched 3 June

Independent researcher Ammar Askar published full details and a PoC for a one-click attack on GitHub's browser editor github.dev that extracts the victim's full-scope GitHub OAuth token (read/write to all repos, including private) (Ammar Askar, 2026-06-02 · The Hacker News, 2026-06-04). The attack abuses github.dev's embedded VSCode: a crafted page simulates synthetic keyboard events (keydown injection) to drive the editor into silently installing a malicious workspace extension, which then reads and exfiltrates the OAuth token the editor holds (T1528); Askar notes the technique does not rely on bypassing postMessage origin validation. The token is not scoped to the repo in use. Askar disclosed one hour before publishing, citing prior silent-fix experience with Microsoft; Microsoft shipped a fix on 3 June. Until updated clients are confirmed, avoid github.dev with untrusted extensions installed and watch GitHub audit logs for token use from unexpected IPs/user-agents.