How safe are extensions in Visual Studio Code?
It's hard to quantify precisely. Anecdotally, the trend over the last 3 to 5 years is moving towards "less safe". (see https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions/)
Can extensions introduce malware?
Absolutely. It's code someone else wrote, executing on your computer.
Is it safe to install any extension?
No.
Nein. Non. Neel. Nei. Nie. Nej. (Darn. Can't think of any more ways to say no.)
Typical ways extensions are a security threat:
Typo Squatting: where the user installs an extension that looks nearly identical (except for a small typo) to the "official" one
Stolen credentials: there are some known instances of legitimate developers having auth tokens or usernames/passwords stolen via malicious extension
Vulnerable code: some legitimate extensions contain code that has security vulnerabilities - though these are harder to exploit generally
Phoning home: there are also some extensions that do things they should not be doing, like sending network requests to less-than-reputable IP addresses
The real question is, how do you avoid problems with extensions?
Personally, my approach to this is generally to be skeptical by default. If I didn't write the code in question, I want to know where it came from. If where it came from looks odd to me, then I try to find an alternative backed by a trustworthy community or I decide to go without that extension.
If I need a way to do some research on an extension I am interested in, I recently found this: https://www.extensiontotal.com/. Not every extension has coverage, but it does get me into the headspace of "find out if this is trustworthy".
I also try to remember to use "Lateral Reading" techniques (https://www.openmindsfoundation.org/blog/the-power-of-lateral-reading/).
For me, this type of thinking applies to code just as much as it applies to other forms of content found online.