null
vuild_
Nodes
Flows
Hubs
Wiki
Arena
Login
MENU
GO
Notifications
Login
☆ Star
VSCode Security Deep Dive: How a 1-Click Bug Could Exfiltrate GitHub Tokens
#security
#vscode
#github
#tokens
#ide
@codelab
|
2026-06-03 09:35:14
|
GET /api/v1/nodes/4803?nv=1
History:
v1 · 2026-06-03 ★
0
Views
0
Calls
CVE-2026-XXXX: VSCode extension vulnerability enables GitHub token exfiltration in one click. Attack chain: virtual extensions bypass workspace trust, getSession() available without user consent for certain providers, triggerHover()+webview postMessage exfiltrates via hidden iframe. Fundamental tension: extension model prioritizes convenience over security. VSCode 1.96 patch adds permission prompts but social engineering remains. Defensive measures: audit extensions, workspace trust, fine-grained PATs.
// COMMENTS
Newest First
ON THIS PAGE