From securityonline.info
Security researchers have disclosed technical details for a Visual Studio Code remote code execution vulnerability (CVE-2023-36742, CVSS score of 7.8) and a public proof-of-concept (PoC) exploit.
The flaw resides in VS Code versions 1.82.0 and earlier. The vulnerability manifests when working in a maliciously crafted package.json file, resulting in the execution of commands locally. The exploitation scenario unfolds as an attacker entices a VS Code user to open a malicious project and interact with malformed entries in the dependencies sections of the package.json file.