Microsoft has removed two popular Visual Studio Code (VSCode) extensions—’Material Theme – Free’ and ‘Material Theme Icons – Free’—from the VSCode Marketplace due to suspected malicious code.
The extensions, downloaded nearly 9 million times, were automatically disabled in users’ VSCode applications.
What Happened?
Cybersecurity researchers discovered suspicious, heavily obfuscated JavaScript code in the extensions.
The code allegedly referenced usernames and passwords, raising concerns about data theft. The malicious code may have been introduced through a compromised dependency (Sanity.io) or a supply chain attack.
Microsoft’s Response
Microsoft confirmed the findings, banned the developer Mattia Astorino (aka equinusocio), and removed all their extensions from the VSCode Marketplace.
The tech giant clarified that the removal was not due to copyright issues but rather potential malicious intent.
Developer’s Defense
Astorino denied any harmful intent, blaming the issue on an outdated Sanity.io dependency that had been in use since 2016.
He criticized Microsoft for not reaching out before taking action, claiming that the dependency could have been fixed with a quick update.
What Should Users Do?
Users are advised to remove the following extensions from their projects immediately:
- equinusocio.moxer-theme
- equinusocio.vsc-material-theme
- equinusocio.vsc-material-theme-icons
- equinusocio.vsc-community-material-theme
- equinusocio.moxer-icons
The Aftermath
Astorino attempted to publish a new version of the extension without dependencies, but Microsoft quickly removed it from the marketplace.
Microsoft plans to release further details about the security risks on the VSMarketplace GitHub repository.
