Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process
The security researcher, Ammar Askar, released the new proof-of-concept exploit on his personal blog — alongside the public tracker for issues in VS Code — giving a GitHub security contact roughly one hour's notice beforehand.
The researcher chose to publicly release the exploit after perceiving Microsoft's disclosure process as inadequate, aiming to force quicker mitigation.
This incident highlights ongoing vulnerabilities in critical software supply chains and the tension between security researchers and large technology companies regarding disclosure practices.
Immediate attention is now required for GitHub token security, and public pressure may accelerate Microsoft's response to such vulnerabilities.
- · White-hat security researchers
- · Users who update their software promptly
- · Microsoft
- · GitHub
- · Users with compromised tokens
GitHub users and corporate environments face immediate risk from token theft and must implement protective measures.
Microsoft may revise its vulnerability disclosure policies and processes to prevent similar public releases in the future.
Increased scrutiny of software development environments and CI/CD pipelines for token and credential management could become a industry standard.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at The Record