A VS Code exploit for github.dev can steal GitHub OAuth tokens after one malicious link, exposing private repositories while teams await a patch.
GitHub internal repositories breached via malicious VS Code extension; TeamPCP demands $50K for 3,800 stolen repos May 2026.
XDA Developers on MSN
A poisoned VS Code extension led to a GitHub breach, and Microsoft owns every link in the chain
Microsoft has had a VS Code extension for a long time, and it finally came back to bite them.
Some results have been hidden because they may be inaccessible to you
Show inaccessible results