DigiNews

Summary

The article reveals a security vulnerability in VSCode's webview that enables a 1-click GitHub token theft via a crafted payload. It explains how the token is exfiltrated, PoC steps, potential impact on private repos, and mitigations like CSP, careful token scope, and user data clearing on github.dev. It also discusses disclosure history and defensive recommendations.