A security researcher published a working exploit Tuesday for a flaw in Microsoft's VS Code allowing an attacker to steal a victim's GitHub access token with a single link click — saying he had bypassed Microsoft's official reporting process entirely because of how the company had treated his previous disclosures.

It comes just weeks after thousands of GitHub’s internal repositories were breached by the cybercrime group TeamPCP through a poisoned extension for VS Code — Microsoft's code-editing software that has become a recurring target for hackers looking to harvest credentials, tokens and source code running on developer’s machines. It also comes days after Microsoft received backlash over statements about researchers who publish vulnerability information without coordinating with the company first.

The security researcher, Ammar Askar, released the new proof-of-concept exploit on his personal blog — alongside the public tracker for issues in VS Code — giving a GitHub security contact roughly one hour's notice beforehand.

He said he was disclosing the bug publicly, and would do so for future VS Code bugs, after Microsoft's Security Response Center “silently” fixed a previous issue he had reported without crediting him and while denying it had any security impact.

It is the latest example of security researchers losing patience with Microsoft's vulnerability disclosure process and choosing to publish working exploits rather than report them privately — a shift security professionals have warned raises real-world risk for the developers and organizations left exposed before a fix arrives.

Another researcher known as Nightmare Eclipse has in recent weeks published several Windows zero-days without coordinating with Microsoft, again citing grievances with the way the company handles disclosures.

Microsoft’s first response to that researcher — condemning the uncoordinated releases as “never justifiable” and saying its Digital Crimes Unit would “continue bringing cases against” those enabling criminal actors — provoked a backlash from the security community. While the company stopped short of naming or directly threatening Nightmare Eclipse, its language was widely perceived as a threat.

Earlier this week Microsoft appeared to walk-back that tone, issuing a new statement clarifying it has “no intention to pursue action” against researchers who find and publish vulnerabilities, and acknowledged that “some interactions have fallen short,” adding that it is “working to learn” from them.

“The security community plays a vital role in helping us protect customers,” Microsoft said. “We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”

Microsoft did not respond before publication to questions about whether it had credited Askar, why no CVE was assigned, or how many github.dev users were exposed before the fix.