VS Code Remote-SSH RCE Lets Attackers Pivot From Developer Machines to Cloud Servers

A newly disclosed flaw in VS Code’s Remote-SSH extension allows a local attacker who has compromised a developer machine to modify a temporary bootstrap script (via a TOCTOU race) that Remote-SSH deploys to remote hosts, enabling remote code execution on AWS, Azure, and on-prem servers after a legitimate login (rendering MFA ineffective). Proof-of-concept tests show cross-environment impact and the issue affects widely used extensions and integrations; Microsoft acknowledged the report but characterized the behavior as consistent with product design, leaving mitigation to users and organizations.