VSCode Security Flaw Exposes GitHub Tokens in One Click
A researcher published a detailed writeup on a VSCode bug that allows 1-click GitHub token theft. The exploit works through the web-embedded VSCode editor, which is signed into GitHub by default. The researcher disclosed this to Microsoft's Security Response Center and, after getting nowhere, went public as a pressure tactic, explicitly saying this was 'one of the few levers I have to influence MSRC and the security posture of VSCode.'
HN commenters flagged two separate problems here. First, the technical issue: defense-in-depth argues that the web-embedded editor shouldn't be authenticated into GitHub at all. Second, the process issue: Microsoft's security response was slow and dismissive enough that a good-faith researcher felt forced to weaponize public disclosure.
Someone in the thread noted the researcher will likely get blacklisted by Microsoft. The researchers who find these bugs are doing the work Microsoft's internal teams should be doing, and the response they get is often hostility.
So what?
If your team uses VSCode with GitHub authentication, this is an active risk worth understanding before it shows up in your threat model the hard way. More broadly, the vendor security response problem is real: if you ever find a vulnerability in a tool your company depends on, document everything and set a firm disclosure deadline before you start the process.