VS Code theme with nearly 4M installs removed due to security ‘red flags’

A Visual Studio Code (VS Code) theme extension with nearly 4 million installations was deactivated and removed from the VS Code Marketplace due to “multiple red flags” and “suspicious code,” according to VS Code team members.

VS Code is a widely used open-source code editor developed and maintained by Microsoft. VS Code users can install extensions from the VS Code Marketplace to add additional features and utilities, including themes that change the code editor’s graphical user interface (GUI).

The removed extension, Material Theme – Free, was removed on Wednesday due to “heavily obfuscated code and unreasonable dependencies including a utility for running child processes,” according to VS Code.

BleepingComputer reported that these issues were first reported to Microsoft by researchers Amit Assaraf and Itay Kruk of ExtensionTotal, who published a blog post about the removal on Wednesday saying the “malicious code” appeared to originate from a compromised dependency.

A VS Code team member later commented on Y Combinator’s Hacker News that Microsoft security researchers confirmed the report and “found additional suspicious code,” leading to the removal.

Material Theme – Free had 3,927,094 installations when it was removed, and Microsoft banned its publisher Equinusocio from the marketplace resulting in the removal of extensions totaling 13,177,186 installs, according to Assaraf and Kruk.

The Material Theme extension was automatically uninstalled from VS Code instances that used it, according to BleepingComputer, although users reported on Hacker News that they were unable to fully uninstall the extension.

Material Theme developer says suspicions ‘unfounded,’ claims ‘unfair treatment’

Equinusocio responded to the removal of his extensions and accounts early Friday in an issue on the VS Marketplace GitHub repository. The developer, whose real name is Mattia Astorino, said the problem that caused his theme to be flagged as suspicious was an outdated sanity.io dependency within the extension’s obfuscated code.

“This decision destroyed 10 years of reputation and trust, all based on unfounded SUSPICIONS regarding obfuscated code — something you dislike, even though there was no evidence of harm” Astorino wrote.

Astorino further claimed “persistent unfair treatment” after the VS Code team removed new versions of the theme that addressed the concerns surrounding Material Theme. His post notes that the VS Code Marketplace terms do not prohibit closed-source or obfuscated code and claims he was given not opportunity to respond or deobfuscate the code prior to the removal.

Astorino said in his post and comments that the purpose of the obfuscation was to protect the code after he changed the theme from open source to closed-source. In another discussion on the VS Marketplace repo Wednesday, users debated over the theme’s removal, with some agreeing there were “red flags” in the code while many felt the “malicious” label was an overstatement and sought additional information from VS Code and Microsoft.

Assaraf and Kruk, along with fellow researcher Idan Dardikman, reported last year that the VS Code marketplace contained nearly 1,300 extensions containing malicious code, which had a collective 229 million installations.