VS Code One-Click GitHub Token Theft via URI Handler Exploitation

Visual Studio Code (VS Code) serves as the primary environment for millions of developers, making it an exceptionally high-value target for supply chain compromise. A recent disclosure has identified a critical flaw in how the IDE handles authentication flows, potentially allowing an adversary to steal secret tokens. According to SecurityWeek, a security researcher has released a full proof-of-concept (PoC) demonstrating a one-click attack that exfiltrates GitHub tokens directly to an attacker-controlled server.

Technical Analysis: Visual Studio Code URI Handler Vulnerability

The exploit leverages the way VS Code handles custom URI schemes, specifically the vscode:// protocol. These handlers are designed to streamline workflows, such as opening a specific file or authenticating an extension. However, the researcher found that the authentication provider within VS Code can be tricked into sending a user’s GitHub session token to an arbitrary destination.

In a typical scenario, when a user signs in to GitHub via VS Code, the application uses an OAuth flow that concludes with a redirect to a local URI handler. The vulnerability exists because the application does not sufficiently validate the destination or the state of the authentication request when triggered externally. An attacker can craft a malicious link that, when clicked, invokes the VS Code authentication callback with parameters that redirect the sensitive credential to an external listener.

This bypasses traditional Phishing defenses because the link appears to trigger a legitimate local application prompt. Because no CVE was initially assigned due to the nature of the disclosure, many SOC teams may lack the specific signatures required to detect this activity in real-time. This highlights the risk of Supply Chain Attack vectors targeting the tools developers trust most.

Understanding the One-Click Attack Vector

The attack is categorized as ‘one-click’ because it only requires the victim to click a link and potentially confirm a single system-level prompt to ‘Open Visual Studio Code.’ Once the IDE takes over the request, the internal logic for the github.vscode-pull-request-github extension or the built-in GitHub authentication provider executes the token exchange.

If the developer is already authenticated—which is common for those using Copilot or integrated version control—the token is retrieved from the secure storage and passed to the attacker-defined redirect URL. This token grants the attacker the same permissions as the developer, including reading private repositories, modifying code, and accessing organization-level secrets.

VS Code GitHub Token Theft Mitigation

Defenders must recognize that traditional network security often fails to catch these application-specific redirections. To implement effective VS Code GitHub token theft mitigation, organizations should focus on both configuration and user awareness.

• URI Handler Inspection: Educate developers to be wary of any web page that attempts to launch VS Code, especially if they are not actively performing an authentication task.
• Token Scoping: Ensure that GitHub Personal Access Tokens (PATs) and OAuth tokens used within the IDE are scoped to the minimum necessary permissions. Use fine-grained tokens where possible.
• Egress Filtering: Monitor for unusual outbound connections from the code.exe process (or its equivalent on macOS/Linux) to unknown external domains.
• Reviewing Extensions: Periodically audit installed extensions and their requested permissions, as malicious extensions could similarly abuse these internal URI handlers.

Impact on Enterprise Security

This disclosure emphasizes that the developer workstation is a critical boundary in Zero Trust architectures. When an attacker gains access to a GitHub token, they can often bypass Multi-Factor Authentication (MFA) because the token itself represents an established session. For security teams, detecting malicious VS Code extensions and URI redirections must become a priority in their EDR and SIEM monitoring strategies. The ability to silently exfiltrate credentials from a trusted IDE demonstrates why even local protocol handlers require rigorous validation and sandboxing.