A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project, aka 'Visual Studio Code Remote Code Execution Vulnerability'.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0728
http://www.securityfocus.com/bid/106913