Many people might have followed the news three weeks ago about the well-known extension Material Theme being proactively removed from VS Code by Microsoft. So what was the reason for its removal? Depending on your source of information, there might be two answers:
- It “allegedly” contains malicious code.
- It is indeed malware.
For example, in BleepingComputer’s article VSCode extensions with 9 million installs pulled over security risks, it states:
Microsoft has removed two popular VSCode extensions, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ from the Visual Studio Marketplace for allegedly containing malicious code.
It uses the term “allegedly containing malicious code.”
In addition to this, there are many news articles or tweets that assertively claim that Material Theme is malware. For instance, the widely followed @theo directly stated:
The Material Theme has just been removed from GitHub and VS Code due to shipping malware.
So, is the Material Theme extension on VS Code malware? To conclude: “No.”
What exactly happened in this whole process? Why was it initially said to be potentially malware, and later it was not? Let’s discuss this in chronological order, starting from the beginning.
The Beginning of the Incident and the Reason for Removal
(All times refer to Taiwan time)
On 2025/02/26 at 01:32 AM, someone posted an issue on the Material Theme GitHub: This extension was reported to be problematic, mentioning that the following prompt appeared in VS Code:
We have uninstalled ‘equinusocio.vsc-material-theme’ which was reported to be problematic.
This proves that at least at this point in time, Microsoft had proactively removed the Material Theme from VS Code. A few hours later, at 04:39, someone also posted on the well-known discussion forum Reddit discussing the same situation: Lost Material Theme .
By 7 AM, discussions also began on Hacker News: Material Theme has been pulled from VS Code’s marketplace.
Around 3:40 PM, a member of the VS Code team, Isidor, responded:
Hi - Isidor here from the VS Code team.
A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.
Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/
As a reminder, the VS Marketplace continuously invests in security. And more about extension runtime trust can be found in this article https://code.visualstudio.com/docs/editor/extension-runtime-security
Thank you!
The gist is that someone in the community conducted an in-depth security analysis of this package, found multiple red flags indicating malicious intent, and reported it to Microsoft. Internal security researchers at Microsoft also confirmed this finding and identified other suspicious code. Microsoft has removed all packages from this developer and banned him, stating that the removal of the package is unrelated to the license (which we will discuss later) and is only related to potential suspicious intent.
By 11 PM, someone opened an issue in the Visual Studio Marketplace GitHub to discuss this matter: Material theme compromised?, wanting to know more details.
The PM of the VS Code Marketplace, seaniyer, also provided a response at 9:57 AM on 2/27:
Sean here from VS Code Marketplace. We take the decision to remove seriously and thoroughly verify any reports. To protect developers, we also prioritize speedy removal of positives. We’ve posted the reason for removal in RemovedPackages, where we plan to add any future removals as well. Thanks for helping to keep the marketplace safe for everyone.
The RemovedPackages.md file was created at 7 AM that day, perhaps indicating that this was Microsoft’s first proactive removal of a package?
The document stated that the removed package was Equinusocio.vsc-material-theme-icons (another package by the same author; he has two, one is Material Theme and the other is Material Theme Icons), with the reason being:
A theming extension with heavily obfuscated code and unreasonable dependencies including a utility for running child processes
A cybersecurity company, Koi Security, published an article on 2025/02/27 titled A Wolf in Dark Mode: The Malicious VS Code Theme That Fooled Millions, mentioning that they found malicious code in the Material Theme, seemingly introduced through a dependency:
Say hello to the wolf in dark mode, “Material Theme”, an extremely popular VSCode theme extension, found to be containing malware underneath its beautiful color scheme
Material Theme — Free, a theme extension for VSCode, which was installed 3,927,094 times by developers, was found to contain malicious code through a dependency
The malicious code seems to be inside a dependency of the theme, which was compromised.
The wording used here is “was found to contain malicious code,” which directly states that it contains malicious code.
On 2/28, around 5 PM, the author of Material Theme, @equinusocio, opened an issue in the Visual Studio Marketplace GitHub: Asking for Equinusocio publisher restoration and relative extensions, censorship and shady discriminatory microsoft moves, stating that there is no malicious code in his package, and the only issue is an outdated third-party package:
This decision destroyed 10 years of reputation and trust, all based on unfounded SUSPICIONS regarding obfuscated code—something you dislike, even though there was no evidence of harm. The only issue was an outdated sanity.io dependency within the obfuscated code, which could have been fixed in 30 seconds.
At the end of the article, it also mentions that if it is confirmed that his package does not contain malicious code, all extensions should be restored and a public apology issued:
If your review of MY SOURCE CODE confirms that there is nothing malicious, I formally request the full restoration of our publisher accounts (Equinusocio and vira-theme), all related extensions, and user access to the theme. Additionally, all installations and insights should be reinstated.
Why was Material Theme suspected?
To summarize the above discussion, it is clear that Material Theme indeed did a few things:
- It is clearly a theme, but the package contains JavaScript.
- It has obfuscated code.
- The code contains parts related to username and password.
- It includes a utility for executing child processes.
If you ask me whether it is suspicious, yes, it is certainly suspicious. But if you ask me whether it is malicious software, I would say it is not.
Why not? Because no one has provided evidence. Although obfuscating code is indeed suspicious, it is just that—suspicious. Moreover, in my view, the strength of this “suspicion” is not that strong. For example, there is no evidence found of communication with a malicious server or any suspicious backdoors, etc.
In addition, regarding the obfuscation, if you have looked into the situation, you would find that as early as August 2024, someone on Reddit posted a Has the Material Theme extension been compromised? thread, stating that the latest version contains a large amount of obfuscated code, and the historical records on GitHub have already been deleted, asking what happened.
Some say it may be related to these two discussions initiated by the author on August 10:
Because the author wanted to change this package from open source to closed source and develop a paid version, they used obfuscation to hide some logic.
As for the so-called “parts related to username and password in the code,” it is very likely that a third-party package used url-parser, so these usernames and passwords refer to the credentials in the URL when parsing, rather than anything that steals sensitive information from your computer.
Regarding the “utility for executing child processes,” someone looked at the code after deobfuscating it and found that it was just a build script, executing no malicious commands.
(By the way, I have not personally verified these two points above; the source code of the extension has always been available for download, and interested individuals can take a look themselves: https://marketplace.visualstudio.com/_apis/public/gallery/publishers/Equinusocio/vsextensions/vsc-material-theme/34.7.9/vspackage)
The article from Koi Security also lacks any clear evidence. My stance here aligns with the subtitle of the article RE: VSCode Extension Drama: You can’t run your threat response like a High School clique.
Of course, setting aside Material Theme for now, the author has a history of behaviors that do not align with the spirit of open source. This is also why the Microsoft statement mentioned earlier states: “For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.” However, since these issues are unrelated to whether the extension is malicious software, I won’t elaborate further.
Initially, only Material Theme and Material Theme Icons were taken down and removed. However, the author later created a new account, changed the name, and uploaded it again. After being discovered multiple times, the entire account was banned, as can be seen in the discussion thread on Reddit.
In summary, this comment from @r8 accurately reflects my thoughts:
Being an ass is not a crime. If you want to ban Mattia for being an ass (which, I’m sorry to say, he is), that’s what Codes of Conduct were invented for.
The Important Line Between “Suspected” and “Confirmed”
The question I want to discuss is: “Is it reasonable for the VS Code team to take down the Material Theme extension?”
However, this question actually hides two or three sub-questions, so I decided to break it down. The first thing we can discuss is whether it is reasonable to take down an extension when it is found to “possibly contain malicious code.”
Prevention is better than cure. Stopping losses before something goes wrong is, in my opinion, reasonable.
The second related question is: “Since it is only suspected, how much certainty is needed before it is reasonable to take it down?”
This is actually a “line-drawing” issue.
For example, if a theme extension is found to contain unobfuscated JavaScript files, taking it down may not be reasonable. But what if obfuscated JavaScript is found in the theme extension? (You still don’t know what the content is, only that it has been obfuscated.) Some people might feel it should be taken down.
However, others might argue that you must find concrete evidence before taking it down; even being in the suspicion stage is not enough.
So I say this is a line-drawing issue, depending on where you draw the line and what conditions must be met to feel it is sufficiently suspicious to warrant removal. This standard will vary for each person and organization.
Once these two questions are clarified, we can discuss: “Is it reasonable for the VS Code team to take down the Material Theme extension?” From their perspective, the known information is likely:
- It is clearly a theme, but the extension contains JavaScript, which is obfuscated.
- It includes utilities used to execute child processes.
- This extension has millions of downloads.
Before making a decision, they must understand the impact this decision will have.
For example, this is the first time the VS Code team has done this, so even if it is merely “suspected of having issues,” it could be interpreted as having enough confidence to take significant action by remotely removing the extension. Additionally, if it turns out to be a malicious extension, that would be fine, but what if it is not? Should they be particularly careful when making public statements, emphasizing that it is only a suspicion and trying not to harm the developer’s reputation when the evidence is not yet clear?
Another question is, since “lack of evidence” affects the decision, should this line be drawn more strictly, only making decisions after obtaining concrete evidence? After all, if it is ultimately confirmed that the extension is fine, the outside world may question Microsoft’s cybersecurity capabilities (like, I thought you had enough evidence to do this, but it turns out to be a false report).
In summary, I don’t know how much evidence the VS Code team had, but we all know the decision they ultimately made: to forcibly remove the extension to protect users.
Conclusion: The VS Code Team’s Apology
More than a week after the incident, on March 7, Microsoft removed Material Theme from the list via this PR: Update RemovedPackages.md.
On March 12, they issued a public statement apologizing under the issue posted by the author:
False positives suck, and it hurts when it happens.
The publisher account for Material Theme and Material Theme Icons (Equinusocio) was mistakenly flagged and has now been restored. In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion. We care deeply about the security of the VS Code ecosystem, and acted quickly to protect our users.
I understand that the “Equinusocio” extensions author’s frustration and intense reaction, and we hear you. It’s bad but sometimes things like this happen. We do our best - we’re humans, and we hope to move on from this We will clarify our policy on obfuscated code and we will update our scanners and investigation process to reduce the likelihood of another event like this.
These extensions are safe and have been restored for the VS Code community to enjoy.LINKS:
Material Theme
[Material Theme Icons]
(https://marketplace.visualstudio.com/items?itemName=Equinusocio.vsc-material-theme-icons)Again, we apologize that the author got caught up in the blast radius and we look forward to their future themes and extensions. We’ve corresponded with him and thanked him for his patience.
Scott Hanselman and the Visual Studio Code Marketplace Team - @shanselman
So, despite having some indeed suspicious behavior, Material Theme has never been malware from the beginning.
However, it can be seen from the statement that from their perspective, there should have been a high level of confidence when making the decision, after all, the internal malware detection said so (even though it turned out to be a false positive).
If it were me, I might have decided to take it down as well, so I understand this decision.
But I think the explanation at the time of removal should have been clearer, emphasizing multiple times that “the incident is still under investigation, and it has not been confirmed to be malware,” and continuously stressing that “it is still being verified, and it was removed just to protect users.”
Although the VS Code team did not explicitly state that it was malware, the expression was more like “although it hasn’t been fully confirmed, I am quite confident it is,” rather than “it hasn’t been confirmed to be malware, please don’t panic, wait for our verification.”
To summarize my position, I currently believe that removing highly suspicious packages is reasonable, and I agree with the VS Code team’s actions. However, to avoid false positives, extra caution must be taken in external statements; otherwise, the damage to the developer’s reputation is irreparable, and I believe the VS Code team did not do well in this regard this time.
Taking this incident as an example, even though the VS Code apology statement was issued 3 days ago, how many people know about it? Could it be that most people still think Material Theme is malware?
By the way, BleepingComputer asked the cybersecurity company that initially reported the issue in the article Microsoft apologizes for removing VSCode extensions used by millions, and they still believe there is malicious code:
When asked by BleepingComputer about this development, cybersecurity researcher Amit Assaraf continued to claim that the extension did contain malicious code. However, he stated that there was no malicious intent from the publisher, commenting that “in this case, Microsoft moved too fast.”
When BleepingComputer inquired about this matter, cybersecurity researcher Amit Assaraf still insisted that the extension contained malicious code. However, he stated that the publisher had no malicious intent, commenting, “In this case, Microsoft acted too quickly.”
But it seems that no relevant evidence has been provided so far.
Comments