I've heard about these attacks but never really had the time to understood what was happening. Some of our junior devs use VS Code, so now we have something to point them at.
VS Code will helpfully warn you when you open a folder that has a git repository.. it asks if you trust the developers since opening the folder could result in bad things happening. So this might not be such a big deal for VS Code users.
I think that assumption is very dangerous: if your editor only prompts when you first open the project, it won’t help when that project is compromised later or if you checkout a merge request from someone untrustworthy/compromised and are mentally thinking “my project is safe” even though you’re a single gh/glab command away from that directory having anything an outside party wants.
I smelled something fishy and never ran it though.
https://news.ycombinator.com/item?id=48127469