탐@lirantal As dev, I can confidently say this #vscode popup is unacceptable and has already done it's damage by causing widespread alarm fatigue.
They made this to show up on EVERY SINGLE FOLDER I open with vscode. It has so clearly been bogus from day 1 that i never even looked into what triggers it, because the criteria is clearly wrong.
It SHOULD have been designed to only show up when a .vscode directory exists in folder, or maybe if extensions with fancy auto-exec capabilities get loaded. Maybe vscode comes preloaded with those, but that's not my problem, I just used it as a dumb text editor on an empty repo and got this message. 
Context, I created this rant after thinking about this vscode exploit :https://infosec.exchange/@lirantal/110468310055535868 and how to protect developers from code exec via a repo they clone. This is not it.
Liran Tal :verified: (@[email protected])
Undocumented settings in VS Code lead to command execution and may be abused. Microsoft did end up fixing it. Here's the read on the security issue: https://blog.ammaraskar.com/vscode-rce/ Remember devs - open-source supply chain security is mostly about being able to target *YOU*.