>Make a malicious VSCode/IDE extension and maybe you hit some hundreds or thousands of devs, a couple of smaller companies, and probably can get on some infosec blogs..

Attackers just have to hit one dev with commit rights to an app or library that gets distributed to millions of users. Devs are multipliers.