VSCode Extensions Pulled Over Security Risks – Here is what to know.

Recently, Microsoft removed two popular VSCode extensions, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ from the Visual Studio Marketplace. These extensions, downloaded nearly 9 million times, allegedly contained malicious code.

Discovery by Researchers

Cybersecurity researchers Amit Assaraf and Itay Kruk discovered the suspicious code. They reported their findings to Microsoft, who then confirmed the claims and found additional suspicious code. Consequently, Microsoft banned the developer, Mattia Astorino, and removed all his extensions from the marketplace.

Possible Supply Chain Attack

The researchers believe the malicious code was introduced through an update, possibly indicating a supply chain attack or a compromised developer account. They explained that themes should be static JSON files and not execute any code. However, the extensions contained heavily obfuscated JavaScript, which raised red flags.

Developer’s Response

Astorino responded to the concerns, stating that the issues were caused by an outdated Sanity.io dependency. He claimed that the dependency had been in use since 2016 and had passed every check until now. Astorino criticized Microsoft for not reaching out to him before removing the extensions, which caused issues for millions of users.

Future Plans and Implications

Microsoft plans to publish more details about the extensions and any detected malicious activity on the VSMarketplace GitHub repository soon. This incident highlights the importance of vigilance in the software development community and the need for thorough security checks to protect users from potential threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it