neat writeup/exploration of web bypasses. "send any key u want to the iframe" is a p powerful primitive, rest is (necessary!) window dressing
1-Click GitHub Token Stealing via a VSCode Bug
Posted on 2026-06-04: https://blog.ammaraskar.com/github-token-stealing/