Ammar Askar Leaks VS Code OAuth Exploit Amid Microsoft Disclosure Revolt

Execution requires minimal interaction from the victim. A user simply opens a Jupyter Notebook file (.ipynb) via github.dev. Behind the scenes, hidden HTML and JavaScript execute within the browser-based Webview. The script simulates a keyboard shortcut sequence engineered to force-approve the malicious extension popup automatically.

Once installed, the extension extracts unscoped OAuth tokens from the session. Because these tokens lack scope limitations, they grant the attacker full read and write capabilities across every public and private repository connected to the compromised account.

This mechanism demonstrates how trusted developer toolchains can serve as initial footholds. The extension recommendation system transforms a routine notebook view into a credential-scraping vector, expanding the effective supply-chain attack surface beyond traditional distribution channels.

The dispute over disclosure norms

Askar's decision to go public stems from repeated friction with MSRC. According to his account, a prior submission was silently patched, stripped of attribution, and ultimately classified as "not having any security impact." Similarly, a cross-site scripting vulnerability identified by Starlabs was downgraded to low severity or ruled ineligible.

Rather than wait for a resolution, Askar contacted an "old" associate at VS Code and then published the proof-of-concept roughly sixty minutes later.

Microsoft responded swiftly. The MSRC blog condemned the uncoordinated dump, specifically referencing the Digital Crimes Unit. The post framed the leak as a violation of responsible disclosure practices, implying potential legal consequences for such actions.

Industry reaction has been hostile toward Microsoft's framing. Critics argue that invoking law enforcement resources against independent researchers violates long-standing norms and actively discourages qualified contributors from engaging with the program. The backlash echoes the controversy surrounding earlier zero-day leaks attributed to the Nightmare Eclipse collective.

That group continues to operate aggressively. Following the latest dump, Nightmare Eclipse has issued warnings of additional disruptive releases scheduled for July 14, 2026, contingent on whether Microsoft addresses underlying grievances.

Our read

The patching window has effectively collapsed. Enterprises relying on Microsoft tooling now face detection and blocking mandates measured in hours rather than the standard twelve-to-fourteen-day grace period. When vendors treat qualified reporters as adversaries, the timeline shrinks until there is no operational safety net left.

Microsoft's reliance on the Digital Crimes Unit creates a perverse incentive structure. By signaling that uncoordinated disclosure invites prosecution, the company forces researchers into silence or rebellion. Both outcomes degrade visibility. Silence hides flaws; rebellion ensures they are weaponized by anyone willing to scrape the public feed.

The technical vector reinforces this strategic error. The ability to hijack OAuth tokens through a notebook viewer proves that the boundary between "trusted tool" and "attack surface" has dissolved. Developers assume extensions recommended by their host environment carry implicit vetting. That assumption no longer holds.

The upcoming July 14 deadline serves as a pressure test. Whether the next wave comes from Nightmare Eclipse or a new cohort of aggrieved hunters depends less on individual malice and more on Microsoft's willingness to repair the feedback loop. Until the vendor treats disclosure as a collaborative engineering discipline rather than a compliance hurdle, critical flaws will remain in the wild until they are extracted by force.

Reporting from The Register and TechCrunch.