/.vscode/sftp.json upload in environment production?

[morojosa]

I have observed that some malicious attackers try to obtain this file in production environments to obtain the keys stored there

[AureliusSlawinski]

Yes, this happened to us. We had a .htaccess inside the .vscode folder. But someone deleted the complete .vscode folder on the remote server (to clean up files). Then someone uploded the sftp.json accidentally, and without the .htaccess file the sftp.json was public (together with the ftp password).

Please allow a setting in sftp.json to specify a path to a username-password.json (or to a second sftp.json), so that this file can be located outside of any project folder. This way the file will not be uploaded in any case - even with other FTP programs that might also be used!