This attack is exactly why IDE's have a concept of trusted and untrusted locations.
That is a very recent addition. The exact behavior they are describing was in VS Code for almost a decade.