In VS Code settings search for "tasks" you will find "Task: Allow Automatic Tasks"...turn it off.

Anything else that should be locked down?

▲ rcxdude 3 hours ago | parent | next [-]

Don't mark the folder as trusted when you open in VsCode. The number of other hooks that may exist is going to be hard to track down (especially because each addon may add their own).

▲ StingyJelly 5 hours ago | parent | prev | next [-]

This may only provide a flalse sense of security. Afaik, there is no way to disable workspace settings taking priority over user settings, so a malious repo can easily override them and reenable automatic tasks.

	▲	Tyriar an hour ago \| parent [-]
		Various settings are `restricted` in the codebase to only use them when the workspace is trusted. `allowAutomaticTasks` is one such setting: https://github.com/microsoft/vscode/blob/f7730c409e14af94d75... So a malicious repo can easily override it... if you say you trust it.

▲ Muromec 6 hours ago | parent | prev | next [-]

Sounds like autorun on usb drives all over again. They cant learn

▲ exitb 6 hours ago | parent | prev | next [-]

Even if you lock everything now, what if the thing autoupdates with new helpful "features". You can't patch bad development culture.

▲ gus_ 6 hours ago | parent | prev | next [-]

  On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely

Unrestricted outbound connections, specially from curl/wget/bash

▲ dude250711 6 hours ago | parent | prev [-]

Yes, uninstall the whole thing. It's just a Chromium covered with a bunch of JavaScript.