[pentel-0_5]

It doesn't directly. These are malicious VS Code extensions. It's completely Microsoft's fault for poorly managing the ecosystem. They must curate extensions with security audits prior to publication and sandbox them with advertised entitlements. Without these, it's running untrusted code from the internet putting users at risk for ransomware, password and cc skimmers, data harvesting, and other malware.

[tomabai]

The package was published on npm, the original extension, has a private component on npm with a similar name to that package, and that the squat the attacker tried to take advantage of