1. Be aware of remote code downloading and execution. VSC extensions are remote code. Try to find out if you trust the source. I trust Debian repos, I certainly do not trust the VSC marketplace.
2. Know the policies around sandboxing. VSC is not a browser, and does no sandboxing at all.
3. Containerize or virtualize the application. If you're on Linux, always use Flatpak. Deny all filesystem permissions except for your root source code directory. This goes for browsers, too. Ideally they should support xdg-download and then have zero file permissions at all - otherwise, only grant ~/Downloads. Don't want a zero-day stealing your files.
4. Keep sensitive data in a separate, encrypted place. On Linux, you can use KDE vaults.
In a perfect world, we wouldn't be downloading and running remote code at all. But for practically, this is untenable. I have JS enabled in my browser. Our best bet is limiting the blast radius when things go south.
1. Be aware of remote code downloading and execution. VSC extensions are remote code. Try to find out if you trust the source. I trust Debian repos, I certainly do not trust the VSC marketplace.
2. Know the policies around sandboxing. VSC is not a browser, and does no sandboxing at all.
3. Containerize or virtualize the application. If you're on Linux, always use Flatpak. Deny all filesystem permissions except for your root source code directory. This goes for browsers, too. Ideally they should support xdg-download and then have zero file permissions at all - otherwise, only grant ~/Downloads. Don't want a zero-day stealing your files.
4. Keep sensitive data in a separate, encrypted place. On Linux, you can use KDE vaults.
In a perfect world, we wouldn't be downloading and running remote code at all. But for practically, this is untenable. I have JS enabled in my browser. Our best bet is limiting the blast radius when things go south.