Microsoft has taken down two widely used VSCode extensions, Material Theme – Free and Material Theme Icons – Free, from the Visual Studio Marketplace after cybersecurity researchers flagged them for containing potentially malicious code.
The extensions, created by Mattia Astorino (aka equinusocio), had nearly 9 million downloads, with all of the developer’s extensions collectively surpassing 13 million installs. Users who had these themes installed are now seeing alerts in VSCode that they have been automatically disabled.
Cybersecurity researchers Amit Assaraf and Itay Kruk discovered suspicious activity in the extensions and reported their findings to Microsoft. According to a Microsoft employee’s post on Hacker News, the company conducted its security analysis and confirmed the presence of multiple red flags indicating malicious intent. As a result, Microsoft banned the developer from the VS Marketplace, removed all their extensions, and uninstalled them from all VSCode instances.
The researchers suggested that the malicious code might have been introduced in a recent update, possibly due to a supply chain attack or a compromised developer account. They noted that theme extensions should only contain static JSON files and should not execute any code. However, the release-notes.js file in the extension contained heavily obfuscated JavaScript, which is a major security concern in open-source software. Partial deobfuscation of the file revealed references to usernames and passwords, but the exact nature of their use remains unclear.
Astorino, the developer of the removed extensions, denied any intentional wrongdoing. He claimed that an outdated Sanity.io dependency, which had been used since 2016 to fetch release notes, was compromised. He criticized Microsoft for removing the extensions without reaching out for clarification, stating that removing the outdated dependency would have been a simple fix.
Following the takedown, Astorino attempted to publish a rewritten extension called Fanny Themes, claiming it had no external dependencies. However, Microsoft also removed this new extension from the VSCode Marketplace.
Until the situation is resolved, security experts recommend removing the following extensions from all projects:
- equinusocio.moxer-theme
- equinusocio.vsc-material-theme
- equinusocio.vsc-material-theme-icons
- equinusocio.vsc-community-material-theme
- equinusocio.moxer-icons
Microsoft has promised to release more details about the alleged malicious activity on the VS Marketplace GitHub repository soon.
