Microsoft only started really cracking down on malicious extensions relatively recently (<1 year ago).

Despite their best efforts, the marketplace is getting increasingly dangerous. The list published here is of malicious extensions that were discovered only after allowing them free reign on the marketplace - imagine how many are still out there.

Upvoted because everyone using vscode needs to see this