Microsoft has removed two popular VSCode extensions, “Material Theme – Free” and “Material Theme Icons – Free,” due to security risks, after researchers discovered malicious code within them. The extensions had been downloaded nearly 9 million times, with users receiving alerts that the extensions had been disabled automatically within VSCode. The extensions’ developer, Mattia Astorino, known by the username “equinusocio,” had multiple extensions on the marketplace, collectively amassing over 13 million installs. The suspicious activity was first flagged by cybersecurity researchers Amit Assaraf and Itay Kruk, who specialized in scanning VSCode extensions for malicious code.
The researchers found suspicious and heavily obfuscated JavaScript in the extension’s code, raising red flags about its intent.
The malicious code was particularly concerning because themes in VSCode should be static JSON files, not ones capable of executing any code. The obfuscation of the code suggested that it could be hiding malicious activity. After analyzing the extensions, Microsoft removed them from the marketplace and banned the developer, stating that the actions had nothing to do with copyright issues, but were based solely on malicious intent and potential harm to users.
The researchers speculated that the malicious code might have been introduced during an update to the extensions, potentially via a supply chain attack or a compromised developer account.
They also noted that the code was found in a file called “release-notes.js,” which was intended to show the update release notes, but it contained references to usernames and passwords. Despite the obfuscation, the researchers couldn’t determine the exact nature of the information being referenced. Microsoft assured the public that further details would be provided via the VSMarketplace GitHub repository.
In response, Astorino defended the extensions, claiming that the malicious behavior was due to an outdated dependency from Sanity.io, a headless CMS service. He explained that the dependency had been in use since 2016, and he had not updated it since.
Astorino stated that he had not been contacted by Microsoft before the removal of his extensions and that the issue could have been fixed quickly if he had been informed. However, as Microsoft continues to investigate the situation, users are advised to remove the extensions from their projects as a precaution.
