Executive TL;DR:
- VSCode bug allows 1-click GitHub token stealing
- Experts recommend running extensions in isolated profiles
- Temporary per-repo permission scope or token can mitigate the issue
The Buzz Score
The Internet’s Verdict: 70% Hyped, 30% Skeptical
Expert Insights
Experts are concerned about the vulnerability surface that arises from the web-embedded VSCode editor being signed into GitHub.
This is a very good writeup. Zooming way out (perhaps to the point of useless observation), it’s a pity that the web embedded VSCode editor is signed into GitHub at all.
Another expert suggests running extensions in isolated profiles to prevent malicious or compromised extensions from exfiltrating GitHub tokens.
The attack surface that makes this particularly nasty is that VSCode extensions run with the same trust level as the editor itself, and most developers have dozens installed without reviewing their permissions.
Real-World Consequences
One developer shared their experience of having their GitHub token stolen, resulting in a significant disruption to their work.
guys even if you take security seriously you are going to get hit on a long enough time frame best thing to do is segregate and control damage trust no one, nothing, use orbstack, and always operate under the assumption that your token is going to get leaked at some point
Focus Keyword: GitHub Token
