What Is This About?

If you recently received a letter or an email from Microsoft (VSCode) and GitHub informing you that your sensitive personal information was compromised in a data breach, we would like to speak with you about your rights and potential legal remedies. Microsoft (VSCode) and GitHub recently disclosed that it was the victim of a security vulnerability/incident that exposed individuals’ sensitive personal information.

What Happened?

On June 2, 2026, security researcher Ammar Askar publicly disclosed a critical vulnerability in Visual Studio Code’s webview implementation affecting both the browser-based github.dev environment and the desktop VSCode application. The disclosure described an attack in which a victim could have GitHub OAuth tokens exfiltrated after clicking a single malicious link, with the stolen tokens allegedly enabling full read/write access to victims’ private GitHub repositories globally. The described attack chain includes use of malicious Jupyter Notebook or VSCode extension files, potential silent installation of malicious extensions, and exploitation of unscoped OAuth tokens. The disclosure also stated the issue could potentially lead to Remote Code Execution (RCE). Based on the provided information, Microsoft/GitHub’s date of discovery, whether third-party forensic investigators were engaged, whether notice letters were sent to impacted individuals, and whether any Attorney General or other government filings were made have not been provided. The disclosure further stated there was no prior coordinated disclosure with Microsoft and that GitHub was notified approximately one hour before the public release.

What Information Was Impacted?

Upon information and belief, the following types of sensitive personal information may have been compromised:

• "GitHub OAuth tokens (authentication/access tokens)";
• "Access to private GitHub repositories (read/write access enabled by stolen tokens)" .

What Action Can You Take?

Levi & Korsinsky, LLP is investigating whether affected users are entitled to compensation. If you received a notice from Microsoft (VSCode) and GitHub, there is no cost or obligation to participate. Follow the link below to find out about your rights and potential legal remedies available.