Critical vulnerabilities in four widely used VS Code extensions could enable file theft and remote code execution across 125M installs.