Don't mark the folder as trusted when you open in VsCode. The number of other hooks that may exist is going to be hard to track down (especially because each addon may add their own).

This may only provide a flalse sense of security. Afaik, there is no way to disable workspace settings taking priority over user settings, so a malious repo can easily override them and reenable automatic tasks.

Various settings are `restricted` in the codebase to only use them when the workspace is trusted. `allowAutomaticTasks` is one such setting: https://github.com/microsoft/vscode/blob/f7730c409e14af94d75...

So a malicious repo can easily override it... if you say you trust it.

  On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely

Unrestricted outbound connections, specially from curl/wget/bash

Sounds like autorun on usb drives all over again. They cant learn

I think that's a bit ungenerous: there is a push and pull between security and seamless user experience and it's never obvious where the line should be set. You really only figure out which way to move it after someone complains.

Even if you lock everything now, what if the thing autoupdates with new helpful "features". You can't patch bad development culture.

1. Uninstall VSCode

2. Install Vim / Emacs / Sublime / Helix

3. ????

4. Profit

> Helix

I'm not sure about the other ones, but I know that helix supports language servers by default and it does not have a workspace trust system like vscode, so LSPs can automatically execute code when you enter a directory

https://github.com/helix-editor/helix/issues/9514#issuecomme...

So uninstalling VSCode would be a bit of a step back in that case

Yes, uninstall the whole thing. It's just a Chromium covered with a bunch of JavaScript.