Coding4Food LogoCoding4Food
HomeCategoriesArcadeBookmarks
vi
HomeCategoriesArcadeBookmarks
Coding4Food LogoCoding4Food
HomeCategoriesArcadeBookmarks
Privacy|Terms

© 2026 Coding4Food. Written by devs, for devs.

All news
TechnologyDev Life

1-Click and Your GitHub Token is Gone: The Latest VSCode Nightmare

June 3, 20263 min read

One misplaced click and your GitHub token saved in VSCode could be yeeted to an attacker. Let's break down the massive security drama trending on Hacker News.

Share this post:
cybersecurity, palm print, data security, firewall, hacker, malware, ransomware, hacking, cybersecurity, cybersecurity, cybersecurity, cybersecurity, cybersecurity, ransomware, ransomware, ransomware, ransomware
Nguồn gốc: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/1-click-github-token-stealing-vscode-bugNguồn gốc: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/1-click-github-token-stealing-vscode-bug
Nguồn gốc: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/1-click-github-token-stealing-vscode-bugNguồn gốc: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/1-click-github-token-stealing-vscode-bug. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/1-click-github-token-stealing-vscode-bug
vscode buggithub tokenlỗ hổng bảo mậthacker newsammar askar1-click exploit
Share this post:

Bình luận

Related posts

ai generated, data centre, computer, server, rack, technology, digital, processor, server, server, server, server, server
TechnologyAI & Automation

Thinking Machines Drops Inkling: A New Open-Weights Challenger Enters the Ring!

Thinking Machines just launched Inkling, an open-weights AI model. Is it time to ditch paid APIs and self-host this bad boy?

Jul 163 min read
Read more →
artificial intelligence, coding, programming, software, code, robot, computer, website, technology, matrix, program, development, server, html, cartoon, data, communication, command prompt, robotics, cyborg
TechnologyAI & Automation

Kimi K3: The Chinese Reasoning Model Crashing the Silicon Valley AI Party

Kimi K3 is making waves on Hacker News. Can this ultra-cheap reasoning LLM from Moonshot AI actually dethrone OpenAI's o1? Let's break it down.

Jul 173 min read
Read more →
ai generated, man, technology, business, office, meeting, digital, internet, computer, network, future, data, design, communication, information, connection, networking, futuristic, cyber, web, hacker, matrix, sci-fi
Dev LifeTechnology

Happy 15th Anniversary to Recurse Center: When Staying Small Beats Chasing the Unicorn Dream

A look back at Recurse Center's 15-year journey from a failed 'dating-style' job site to a free programming sanctuary for over 3,000 developers.

Jul 183 min read
Read more →
laptop, hands, gadgets, iphone, apple, lens, macbook, mobile phone, smartphone, typing, blogging, flat lay, workspace, laptop, laptop, typing, typing, typing, typing, typing, blogging, blogging, blogging
TechnologyDev Life

Social Media is Dead, Long Live the Feed: How Algorithms Killed Our Friendships

Remember when social media was actually about friends and not just brain-melting algorithmic fads? Here is how the 'social' part got brutally murdered.

Jun 93 min read
Read more →
http, computer, hand, mobile, smartphone, web, touch, finger, display, www, internet, looking for, web address, pc, browser, search engine, data, programming, worldwide, networking
TechnologyDev Life

Ladybird's Dev Process Overhaul: A Genuine Chromium Slayer?

Ladybird browser announces a major dev process overhaul. Diving into the Hacker News reactions and survival lessons for scaling side projects.

Jun 53 min read
Read more →
lumber, lumberjack, axe, beard, forest, job, profession, tree, wood, woodcutter, man, person, strong, nature, male
GamingTechnology

The ASMR Firewood Splitting Simulator is the Ultimate Dev Procrastination Tool

Discover the incredibly satisfying Firewood Splitting Simulator that's taking over Hacker News. Put down your IDE and start chopping virtual wood.

Jun 152 min read
Read more →

What's up, fellow code monkeys? Grinding through Jira tickets or pretending to work? Pause your Spotify playlist for a second, because today we're talking about a massive screw-up in everyone's favorite text editor: VSCode. If you're the type of dev who clicks links faster than your brain can process, you might want to read this before your tech lead calls you at 2 AM screaming about a compromised repo.

The TL;DR on the VSCode Disaster

Security wizard Ammar Askar just dropped a nuke on his personal blog, detailing a vulnerability that is currently skyrocketing on Hacker News with over 500 upvotes. Here's the raw rundown of what the hell happened:

  • The 1-Click Magic: This isn't some complex "download this zip, run a bash script, bypass UAC" exploit. It's a 1-click kill. You accidentally click a maliciously crafted link (like a vscode:// URI handler), and boom.
  • The Prize: The vulnerability targets the GitHub OAuth token that VSCode stores locally so you don't have to authenticate every time you push code.
  • The Blast Radius: Once an attacker gets their hands on that token, they basically become you. Depending on the token's scope, they can clone your company's proprietary code, snoop around, or worse, push malicious commits directly into your codebase (Supply Chain Attack 101).
  • A lot of us spin up a VPS to test sketchy payloads safely, but with this bug, simply browsing the web on your local machine and clicking the wrong link triggers VSCode to hand over your keys to the kingdom.

What's the Hivemind Saying?

Since HN comments are a goldmine of panic and armchair security experts, here's how the dev community is reacting to the fallout:

  • The Pissed-off Majority: "Seriously, Microsoft? How does a 1-click token stealer make it to production in 2024?" It's a classic case where making tools ultra-convenient (like browser-to-IDE integration) creates gaping security holes.
  • The Paranoia Squad: "Just spent the last 20 minutes reviewing my browser history and revoking every active token I have. I am sweating bullets right now."
  • The Vim Elitists: There's always that one group spamming: "This is why I only use Vim over SSH. No GUI, no URI handlers, no bullshit." Annoying? Yes. Correct in this specific scenario? Also yes.

The C4F Verdict: Don't Be a Noob

Look, even top-tier tools can backfire. Microsoft built deep integration so you could open repos directly from the browser, but accidentally built a backdoor for token thieves.

Here are your survival rules going forward:

  1. Stop clicking random links sent by strangers on Discord or Slack. If you see a vscode:// prompt pop up unexpectedly in your browser, hit "Cancel" and run for the hills.
  2. Principle of Least Privilege, people! Stop generating Personal Access Tokens (PATs) with full repo access just because you're too lazy to check the right boxes. Use GitHub's fine-grained PATs, scope them to specific repositories, and give them expiration dates. If shit hits the fan, you just revoke the token and move on.
  3. Update your VSCode immediately if there's a patch available. Stop hitting the "Remind me later" button!

Stay safe out there, and may your tokens remain un-stolen.


Sauce:

  • Hacker News Thread: 1-Click GitHub Token Stealing via a VSCode Bug
  • Ammar Askar's Blog: https://blog.ammaraskar.com/github-token-stealing/