Security researchers found two AI-branded VS Code extensions with 1.5M installs that covertly send source code and files to China-based servers.