GitHub's Browser Editor Handed Attackers an Unscoped OAuth Token — and a Path to Every Private Repo You Own
A malicious Jupyter notebook, a bypassed publisher trust check, and a single browser tab were all an attacker needed to steal an OAuth token granting access to every repository tied to a GitHub account.

GitHub's browser-based code editor silently handed attackers a skeleton key to private repositories — and most developers never knew the door was open.
What Happened
Security researcher Ammar Askar published a detailed technical writeup exposing a critical vulnerability in `github.dev`, the browser-based Visual Studio Code environment that activates when a developer presses `.` on any GitHub repository. The flaw centered on how `github.com` passes an OAuth token to the `github.dev` session. That token was not scoped to the specific repository triggering the session. It carried full access to every repository the account could reach — public, private, organizational, all of it.
Askar confirmed the severity himself: this was, in his words, "about as serious as it gets."
The attack chain required no elevated privileges, no cloning, no terminal. An attacker plants a crafted Jupyter notebook inside a public repository. A victim opens that repository in `github.dev`. The notebook installs a local workspace extension — bypassing GitHub's publisher trust verification entirely — and that extension silently retrieves the OAuth token along with a full listing of the victim's private repositories. Both get exfiltrated before the developer has closed a single tab.
Why the Attack Surface Exists
Three distinct control failures stacked to create this exposure.
First, token scoping. OAuth tokens should carry the minimum permissions necessary for the session context. A token issued when a developer opens one specific repository has no legitimate reason to carry org-wide repository access. The principle of least privilege is foundational — NIST SP 800-53 dedicates an entire control family (AC-6) to it — yet the `github.dev` session token violated it by design.
Second, the extension trust model. VSCode's publisher verification system exists precisely to stop unsigned or unverified code from executing in a session. The attack bypassed that check entirely by installing a local workspace extension rather than a marketplace-distributed one. The guardrail existed. The attacker walked around it.
Third, the redirect attack vector. Any external website could craft a link pointing to a malicious `github.dev` session. If that link reached a maintainer of a widely-used open-source library — someone with commit rights to a dependency used by thousands of downstream projects — the attacker could have pushed backdoored code to that dependency without ever authenticating directly. The supply chain implications are immediate.
When developers routinely open unfamiliar repositories in browser-based editors, every notebook, every workspace config file, and every extension recommendation becomes a potential delivery mechanism. Training developers to treat `github.dev` sessions with the same suspicion they'd apply to a phishing email is not optional hygiene — it's a necessary part of modern secure development culture. Organizations that run structured security awareness programs regularly see measurable reductions in the rate at which developers interact with untrusted content, which matters here because the initial trigger is a social engineering step: getting a developer to open a repository.
Microsoft's Response — and the Disclosure Fight
Microsoft applied two stopgap mitigations. The `github.dev` environment now prompts users for confirmation before opening notebooks, and the mechanism that allowed workspace extensions to bypass the trusted publisher requirement has been closed. Both changes reduce the immediate attack surface.
They do not address the root architectural problem: the OAuth token scope. Until that token is constrained to the repository that actually triggered the session, the blast radius of any future bypass remains enormous.
The disclosure timeline deserves attention. Askar gave GitHub one hour of notice before publishing publicly. His stated reason: a previous VSCode vulnerability he reported was fixed without credit or acknowledgment. The coordinated disclosure model depends on mutual trust. Researchers invest real hours building proof-of-concept exploits, documenting reproduction steps, and holding findings while vendors triage and patch. When vendors quietly drop researcher names from advisories, that implicit contract collapses. One-hour notice is the foreseeable result, even if it leaves enterprises exposed during the gap.
Microsoft's public statement praised the security research community in generic terms. It said nothing about the structural problem Askar described.
What Defenders Should Do Now
For platform and security engineers running GitHub-integrated CI/CD pipelines, the exposure Askar documented is not theoretical. A stolen token with org-wide repository access is a direct path to poisoned build artifacts, backdoored dependencies, or exfiltrated proprietary source code. The 2024 Verizon Data Breach Investigations Report found that stolen credentials remain the leading action type in confirmed breaches — and an unscoped OAuth token is functionally a long-lived credential.
Four concrete steps apply immediately:
- Audit OAuth token scopes across all GitHub Apps, personal access tokens, and session tokens in your organization. Revoke anything granting broader access than the task requires.
- Enforce repository-level access controls. Developers should not have org-wide repository read access unless the role explicitly requires it. Use GitHub's fine-grained personal access tokens where possible.
- Treat every browser-based IDE session touching private repositories as a credential issuance event. Log it. Alert on unusual access patterns. Apply the same scrutiny you'd give a service account in a cloud IAM system.
- Restrict Jupyter notebook execution in `github.dev` sessions through organizational policy until Microsoft releases a more architecturally sound token-scoping solution.
Organizations that have invested in security standards alignment already have frameworks for thinking about least-privilege identity controls — the same controls that would have contained this attack at the token-scoping layer.
The Bigger Picture
Browser-based development environments are accelerating. GitHub Codespaces, `github.dev`, Gitpod, and similar platforms are where a growing share of software gets written. That consolidation is operationally convenient. It is also a concentration of credential and access risk that the security industry has not fully reckoned with.
Every developer session in these environments issues credentials, touches private data, and operates inside a browser context that is fundamentally more permeable than a hardened workstation. Threat models for supply chain security need to account for this. Treating a browser IDE session as a trusted, isolated development environment is a category error — and Askar's research proves it.
How This Attack Could Have Been Contained
- Enforce least-privilege OAuth scoping so browser IDE tokens only access the repository that triggered the session — not your entire organization.
- Train developers to treat unfamiliar repositories, notebooks, and workspace extension prompts as untrusted inputs, the same way they'd evaluate a suspicious email attachment.
- Establish organizational GitHub policies that restrict notebook execution and require publisher verification for all workspace extensions.
Train2Secure's security awareness programs help development teams recognize the social engineering steps — like clicking a crafted github.dev link — that precede credential-theft attacks like this one.
Start free — no card requiredSources & further reading
Frequently asked questions
Was my GitHub account compromised by this vulnerability?
GitHub has not disclosed any confirmed exploitation in the wild. Microsoft applied mitigations to github.dev — including notebook open confirmations and a fix for the publisher trust bypass — so the immediate attack path is closed. That said, any developer who regularly opens unfamiliar repositories in github.dev before the fix was applied should audit recent OAuth token activity in their GitHub security settings and rotate personal access tokens as a precaution.
What made the OAuth token in github.dev so dangerous?
The token was not scoped to the specific repository that triggered the github.dev session. It granted access to every repository the account could reach, including private and organizational ones. A principle-of-least-privilege design would have restricted the token to the single repo in context, dramatically limiting the blast radius of any theft.
Why did the researcher publish with only one hour of notice?
Ammar Askar stated that a previous VSCode vulnerability he reported was patched without credit or acknowledgment. Coordinated disclosure depends on reciprocal good faith. When researchers feel that relationship has been broken, shortened notice windows are a documented response — though enterprises bear the cost of exposure during any gap between publication and patching.
How can organizations reduce risk from browser-based IDE sessions?
Audit OAuth token scopes and revoke over-privileged tokens, use GitHub's fine-grained personal access tokens to limit repository access by role, log all github.dev and Codespaces sessions touching private repositories, and restrict Jupyter notebook auto-execution through organizational GitHub policy until a fully scoped token architecture is in place.



