The how of the payload is a bit convoluted, but if you'd like to read the details, developer Zach Schneider has done a great job of compiling the various bits of info into a single article.
The payload itself would try to steal bitcoin from users using the CoPay platform.
Fortunately, while event-stream is linked to various organisations, including the BBC and Microsoft, their projects were not seriously affected.
Microsoft acted quickly to determine the impact of the payload to Visual Studio Code users, ultimately ruling out major risk. In fact, it didn't even need to patch Code, instead choosing to ban and auto-uninstall affected extensions.
I don't know what to say [GitHub]