VS Code Zero-Day Exploit: Stealing GitHub Tokens via URI Handlers

Overview of the Visual Studio Code Zero-Day

A Zero-Day vulnerability in Visual Studio Code (VS Code) has been disclosed, potentially allowing attackers to exfiltrate sensitive GitHub authentication tokens. This flaw centers on the way the application processes custom URI handlers, specifically those associated with authentication providers. According to BleepingComputer, a security researcher known as mthcht released a proof-of-concept (PoC) demonstrating how a single click on a malicious link can compromise developer credentials.

While Microsoft has reportedly been made aware of the issue, no CVE has been formally assigned at the time of writing. The researcher chose to disclose the technical details after determining that the behavior could be weaponized via Phishing to gain unauthorized access to private repositories and corporate infrastructure.

Technical Analysis: Visual Studio Code GitHub Token Theft Exploit

The vulnerability leverages the application’s deep-linking capabilities, which allow external applications or websites to trigger specific actions within the editor. The Visual Studio Code GitHub token theft exploit relies on the vscode-auth:// protocol handler. By crafting a specialized URL, an attacker can initiate an authentication flow that, if accepted or automatically processed, redirects the resulting OAuth token to an attacker-controlled endpoint.

Exploiting URI Handlers for Token Exfiltration

The attack vector involves a two-stage process. First, the attacker must persuade the target to click a link, often disguised as a legitimate collaboration request or a repository link. When the browser invokes the VS Code protocol handler, the application attempts to resolve the authentication request through the integrated GitHub provider. If the developer is already authenticated, the system may inadvertently bypass certain warnings, depending on the specific extension configuration and the state of the session.

This mechanism allows for the silent exfiltration of tokens that possess broad permissions, including read/write access to private source code. For an organization, this represents a significant Supply Chain Attack risk, as compromised tokens can be used for Lateral Movement within a GitHub organization, enabling the injection of malicious code into production branches.

How to Detect VS Code URI Handler Exploitation

Detecting this TTP requires monitoring both the host operating system and network traffic. Security teams should configure their SIEM or EDR solutions to flag unusual process execution patterns where the VS Code executable is launched with the vscode-auth:// or vscode:// arguments from a web browser process (e.g., chrome.exe or firefox.exe).

To effectively implement a strategy on how to detect VS Code URI handler exploitation, SOC analysts should look for specific indicators of compromise, such as:

• Outbound network connections from the VS Code process to unfamiliar external domains immediately following a URI handler invocation.
• Registry modifications or configuration changes related to the vscode-auth protocol registration.
• Suspicious GitHub audit logs showing token generation or access from anomalous IP addresses or non-standard user agents.

Mitigation and Recommendations

Until an official patch is released or a configuration change is mandated by the vendor, defenders must rely on proactive security measures. Restricting the use of third-party extensions that request high-level authentication permissions is a primary defense. Organizations should adopt a Zero Trust approach to developer tooling, ensuring that even internal links are validated before interaction.

1. Restrict Extension Installations: Use VS Code’s built-in policies to allow only verified extensions from trusted publishers.
2. Disable Protocol Handlers: If deep linking is not required for the workflow, consider disabling the OS-level registration for vscode-auth:// handlers.
3. Developer Education: Train staff to recognize that authentication prompts originating from a browser-to-app transition are high-risk events.
4. Token Rotation: Implement aggressive expiration policies for GitHub personal access tokens and OAuth tokens to minimize the window of opportunity for an attacker.