Malicious VSCode extensions steal PII and enable backdoors