A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.
Maybe, but I think the only app store that does vet apps is the Apple one, so that should be the default expectation.
And I think even they wouldn’t manually look for something like this. They’re mainly concerned about people breaking the commercial rules.