![IntCyberDigest's tweet photo. ‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."](https://pbs.twimg.com/media/HJ1p_C8WwAAXovc.png)
Olivia
Online
throwaway_account_67
@67_throwaway
Joined December 2025
37 Following
8 Followers
165 Posts
@lizardmanisback @C2IRIS @0day_ninja @xoreaxeaxeax I think he meant the original makers publicly posting it, vs other's work.
But then again we would never get that for IME/PSP etc soooo 🤷♂️
@cyb3rops Whoever pulled ts should have that engraved into their Resume.😒
@flyingpassword I have, also I have used the various "House" techniques for Linux. It really isn't harder than Chrome.
以前見つけた macOS のカーネルパニックなんだけど, Apple に報告したら「バグじゃないお( ^ω^)」って言われたので public にしておきます
> Deterministic Kernel Panic (NULL Pointer Dereference) via Race Condition in IOTimeSyncClockManager
https://t.co/uaEuXNxClr
‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
![IntCyberDigest's tweet photo. ‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."](https://pbs.twimg.com/media/HJ1qOHoXEAAa6yQ.jpg)
@0day_ninja I think it's a really insecure design as a whole, which is why we've had so many issues that we have.
On the other hand, it would make voltage glitching and other bits even more powerful on it.
@0day_ninja @C2IRIS https://t.co/Kqh6k6BqD4
@xoreaxeaxeax has done years of Research into this and posted about it. I think recently he did another talk too, I can look for the link if you want.
@lean0x2f @Hacker0x01 >People are still thinking BB platforms are for the people's benefit, not the company's
Idk how cybersec got baited into normie tier "Companies actually care about us :)" mentality.
@0day_ninja I assume they mean the malware doesn't do whatever custom obfuscation methods, etc, until there is a report already on the initial malware itself.
(so the methods to unpack it, spot it aren't in the report itself)
I could be completely wrong though.
@C2IRIS Rest in Peace.
He sounds like a brilliant researcher.
@RussianPanda9xx Happy Birthday, may you have the finest champagne from the tears of the TA's you report on 👏
@maskirovka3301 @CIA @PalantirTech @mfa_russia @MFA_China Do you have any IoCs, logs, etc that you could have security researchers analyze?
The video showcases a USB not working but there isn't much to go on, besides that.
@Behi_Sec >download the most common ones SRC
>get an actually good AI model to organize what it does find, and doesn't
>code some shitty python 3 scripts to cover the gaps, not have the same IoCs as the main tools, etc
Hope it helps, friendo. Sorry it's a bit basic though
@medusa_0xf Yeah, most BB videos/courses are done by people that have under 10 public findings etc.
(not to say there is only public, but yeah scammers aplenty for BB)
@Behi_Sec @praetorianlabs Because alot of BB posting is done by people that make all their money through selling courses and other shit, not actual bug hunting.
That or they did a little successful hunting, then quit completely for years just to sell the above stuff.
@Osint613 They really had to use AI to show some basic pictures being shredded? 🥲
@encrypted_past @therealshodan it's a m$ employee bro, they don't want to offend their overlord and Master.
Funny enough m$ will gladly fire people with 20+ years working for them though.
😕
https://t.co/MW4fnItZsc It's been a long time since I've seen this creative of a use for Redstone.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers