VSCode extensions with 9 million installs pulled over security risks

Microsoft has removed two popular VSCode extensions, ‘Material Theme – Free’ and  ‘Material Theme Icons – Free,’ from the Visual Studio Marketplace for allegedly containing malicious code.

The two extensions are very popular, having been downloaded nearly 9 million times in total, with users now receiving alerts in VSCode that the extensions have automatically been disabled.

The publisher, Mattia Astorino (aka equinusocio), has multiple extensions on the VSCode marketplace, totaling over 13 million installs.

News of the extensions being malicious comes from cybersecurity researchers Amit Assaraf and Itay Kruk, who have expertise in scanning VSCode for malicious extensions.

In a report published today, the researchers say they discovered suspicious code in the extensions and reported their findings to Microsoft.

“Microsoft removed both extensions from the VS Code marketplace and banned the developer,” reads a post from a Microsoft employee to YCombinator’s Hacker News.

“A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.”

“We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity – the removal had nothing to do about copyright/licenses, only about potential malicious intent.”

The researchers told BleepingComputer that their specialized scanner detected malicious activity in the extension’s code. One of the researchers, Amit Assaraf, says they believe the malicious code was introduced in an update to the extensions, indicating either a supply chain attack through a dependency or the developer’s account was compromised.

Moreover, they explained that themes should be static JSON files and not execute any code, so this behavior was marked as suspicious in their evaluation.

As verified by BleepingComputer, the “release-notes.js” files in the theme contain heavily obfuscated JavaScript, which is always a red flag in open-source software.

A partial deobfuscation of the code showed numerous references to usernames and passwords. However, as the file was still heavily obfuscated, BleepingComputer could not determine in what way they were being referenced.

Microsoft says they will publish more details about the extension and any detected malicious activity to the VSMarketplace GitHub repository soon.

The developer of the extensions, Mattia Astorino (aka equinusocio), responded to concerns about the extensions being malicious, stating that the issues are caused by outdated Sanity.io dependency that “looks compromised.”

“Dear @gegtor nothing harmful was ever shipped within Material Theme.,” reads a post from Astorino in Microsoft’s VSMarketplace repository.

“We just had an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS, that was the only issue they found.”

“That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it’s their fault)”

“They broke everything without ever reaching out to us for clarification. Removing the old dependency was a quick 30-second fix, but it seems that’s just how Microsoft operates. We also ship an obfuscated index.js file that contains all the theme commands and logic. It’s obfuscated because the extension is now closed-source; however, if you delete it, the extension will still function with plain JSON files.”

Until the situation clears up and it’s determined whether or not the extensions are malicious, it is recommended to remove the following from all projects:

• equinusocio.moxer-theme
• equinusocio.vsc-material-theme
• equinusocio.vsc-material-theme-icons
• equinusocio.vsc-community-material-theme
• equinusocio.moxer-icons

The developer, Astorino, later published what they claim is a “completely rewritten extension” without any dependencies named “Fanny Themes” to the VSCode Marketplace, which Microsoft subsequently removed.

In response to our questions about the obfuscated release-notes.js file, Astorino repeated what he posted to GitHub, stating that a @sanity dependency was compromised and could have been quickly removed if he had been notified.

“The release notes file was made and used to generate a web view to show changes from sanity.io, an headless cms, back in 2016,” Astorino told BleepingComputer.

“Never touched it since then, as I was focused on the new version of the extension. The only harmful thing was the old (and only) @sanity dependency which has been compromised. But i didn’t know it.”