> Because threat actors find new ways to evade detection on public repositories used for software development, it is recommended that users inspect packages before installation, especially when the source is not a reputable publisher.
Serious question: what is realistically meant by "inspect packages before installation" here? I assume they don't mean "review all the code in the packaged node_modules to find any trojans." Maybe "don't install plugins with packaged dependencies" but I'm not sure how common it is in this context.
My takeaway will just be "continue to use the default VSCode theme."