VS Code Configs Expose GitHub Codespaces to Supply Chain Attacks

GitHub Codespaces executes VS Code configs automatically, risking supply chain attacks via malicious JSON files.

By Content Team

Feb 5, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Orca Security discovered that GitHub Codespaces automatically executes VS Code configuration files when users open repositories or pull requests, creating a pathway for supply chain attacks. Attackers can embed malicious commands in JSON files within the .vscode/ folder that execute without user approval.

The vulnerability allows hackers to steal GitHub tokens, Codespaces secrets, and other sensitive data. In one attack scenario, bad actors could fork public repositories, create malicious pull requests, and when maintainers open them via Codespaces, their GitHub tokens get compromised. This enables attackers to push verified code as legitimate maintainers.

Microsoft told Orca this behavior is intentional, raising concerns about the security implications of automated configuration execution in cloud development environments.

Source: SecurityWeek

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Fake PoCs and Overlooked Bugs Create Cisco SD-WAN Security Chaos

Apr 1, 2026

Cisco Patches Critical Zero-Day Flaw Already Being Exploited in the Wild

Jan 24, 2026

Cyberattacks on Industrial Systems Nearly Double as Hackers Target Critical Infrastructure

Jan 15, 2026

Notepad++ Update System Hijacked in Months-Long Supply Chain Attack

Feb 7, 2026