Web-based IDEs like VSCode on github just had a 1-click github token stealing vulnerability: https://blog.ammaraskar.com/github-token-stealing/

You could argue this is probably on GitHub for creating a token here that gives blanket access to all repos vs a scoped token for just the repo.