A security researcher discovered a vulnerability in VSCode that allows an attacker to steal a GitHub token by exploiting a bug in the webview security model. The bug enables an attacker to simulate keyboard events, which can be used to install a malicious extension and gain access to the victim's GitHub account. The researcher reported the issue to Microsoft, but due to a previous negative experience with the company's security response, they decided to disclose the vulnerability publicly. The vulnerability exists in both the desktop and web versions of VSCode.