A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.
I wouldn’t be too hard on Microsoft. The requirement to curate public package repositories only emerged somewhat recently, as demonstrated by the likes of npm, and putting in place a process to audit and pull out offending packages might not be straight-forward.
I think the main take on this is to learn the lesson that it is not safe to install random software you come across online. Is this lesson new, though?
I think people often have a vaguely formed assumption that plugins are somehow sandboxed and less dangerous. But that all depends on the software hosting the plugin. There was a recent issue with a KDE theme wiping a user’s files which brought this to light. We can’t assume plugins or themes are any less dangerous than random executables.