Microsoft restored a popular Visual Studio Code (VS Code) theme extension that was wrongly flagged as malicious and apologized to its developer, two weeks after it removed the theme and banned the developer from the VS Code Marketplace.
“False positives suck, and it hurts when it happens,” Microsoft’s Vice President of Developer Community Scott Hanselman wrote in a response Wednesday to Mattia Astorino, the developer of Material Theme – Free, who also goes by Equinusocio.
Material Theme – Free, which had nearly 4 million installations, was removed from the VS Code Marketplace and forcibly uninstalled from millions of users’ VS Code instances on Feb. 26 after it was reported by researchers Amit Assaraf and Itay Kruk of ExtensionTotal to contain malicious code.
At the time, a VS Code representative also said in a comment on Y Combinator’s Hacker News that Microsoft’s own security researchers had confirmed the report and “found additional suspicious code” that led to the extension’s removal.
The official reason given for Material Theme’s removal, as stated on the VS Code Marketplace GitHub repository before its restoration, was “heavily obfuscated code and unreasonable dependencies including a utility for running child processes.”
Astorino was also banned from the VS Code Marketplace, leading to the removal of all his extensions totaling more than 13 million installs, including Material Theme Icons – Free, which had more than 5.5 million installs.
The developer defended himself in a GitHub issue decrying alleged “persistent unfair treatment” and stating the issue stemmed from an outdated sanity.io dependency within the obfuscated code.
“You never reached out for clarification (neither pre-ban nor post-ban) – unlike in other cases where you contacted fork authors after our ban – nor did you request that we deobfuscate the code or access the source code. I never received any notification about the ban,” Astorino wrote, adding that the problematic dependency could have been resolved “in 30 seconds.”
After Equinusocio’s developer account and extensions were restored, Assaraf and Kruk’s blog post about the extension’s “multiple red flags indicating malicious intent” was updated, praising Microsoft’s response and Astorino’s removal of the “malicious dependency.”
“As always, we encourage organizations to exercise caution, particularly with non-critical marketplace items like themes,” the researchers wrote.
Hanselman also apologized to Astorino and noted that Microsoft will clarify its policy on obfuscated code and update its scanners and investigative processes to prevent similar errors in the future.
“In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion,” Hanselman wrote.
