A developer who clicks one malicious link could hand an attacker complete access to every private code repository in their GitHub account — including proprietary source code, infrastructure-as-code, secrets embedded in repositories, and any connected CI/CD pipelines. For organizations where source code is a core asset, a successful exploitation could result in intellectual property theft, supply chain compromise, or deployment of malicious code into production systems. Because no patch exists and the exploit is already public, the window between disclosure and active criminal use is short.
You Are Affected If
Developers in your organization use Visual Studio Code (any version) on any operating system
Developers use github.dev (the browser-based VS Code editor at github.dev)
Developer GitHub accounts hold broad repository access — particularly accounts with access to multiple private or production repositories
No enterprise VS Code policy restricts extension installation or webview API usage
No GitHub OAuth token scoping or rotation policy is enforced across the organization
Board Talking Points
An unpatched, publicly exploitable flaw in the development tool Visual Studio Code lets an attacker steal a developer's GitHub credentials with one click, potentially exposing all private source code.
Security teams should rotate all developer GitHub tokens and enforce extension controls today, before Microsoft releases a patch — this is a compensating action, not a full fix.
If no action is taken and a developer account is compromised, attackers could silently access, copy, or tamper with proprietary source code and deployment pipelines, with no immediate visible sign of intrusion.
SOC 2 — Source code repositories accessed via compromised OAuth tokens may contain system credentials, configuration secrets, and customer data pipelines subject to SOC 2 availability and confidentiality criteria
ISO/IEC 27001 — Unauthorized access to source code repositories via credential theft directly implicates Annex A controls on access management (A.9) and cryptographic key/credential protection (A.10)
