The decision by researcher Ammar Askar to publicly release a one-click GitHub token theft exploit targeting VS Code marks a sharp escalation in tensions between security researchers and Microsoft, exposing systemic flaws in coordinated vulnerability disclosure that extend far beyond a single bug. While The Record correctly notes Askar bypassed Microsoft's process due to prior silent fixes without credit, this coverage underplays the cumulative pattern: repeated VS Code compromises, including the recent TeamPCP poisoned extension attack that breached thousands of GitHub internal repos, reveal how developer tools have become prime vectors for credential harvesting at scale. Askar's move echoes the actions of Nightmare Eclipse, who released Windows zero-days citing similar grievances, and Microsoft's initial aggressive response—threatening legal action via its Digital Crimes Unit—only amplified community backlash before a partial walk-back emphasizing good-faith engagement. Synthesizing this with broader evidence from the 2023 XZ Utils backdoor attempt and ongoing reports in Krebs on Security on platform trust erosion, the core issue is not isolated researcher frustration but a structural supply-chain vulnerability where uncredited fixes and opaque processes incentivize public exploits, leaving GitHub.dev and enterprise users exposed longer. This accelerates a shift where researchers prioritize rapid public awareness over private coordination, eroding the already fragile trust in Microsoft's ecosystem and heightening risks of cascading attacks on CI/CD pipelines worldwide.