Microsoft has restored the ‘Material Theme – Free’ and ‘Material Theme Icons – Free’ extensions on the Visual Studio Code Marketplace after determining that the previously flagged obfuscated code was not malicious. The reversal comes after nearly two weeks of controversy, during which the extensions’ publisher, Mattia Astorino, was banned from the platform without warning.
Why Microsoft Initially Pulled the Extensions
In late February, Microsoft removed the two extensions—boasting over nine million installs—citing security concerns. The ban came after cybersecurity researchers flagged obfuscated code within the extensions’ scripts, raising red flags about potential malware threats.
At the time, a Microsoft employee explained the decision: “A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claim and found additional suspicious code.”
The concerns primarily revolved around a heavily obfuscated release-notes.js file, which was thought to enable unauthorized code execution. Researchers Amit Assaraf and Itay Kruk, using AI-powered scanners, first detected these suspicious elements and classified the extensions as high-risk.
Developer Pushback and Flawed Investigation
Astorino strongly objected to the allegations, explaining that the flagged code was part of an outdated dependency—Sanity.io SDK—used for managing release notes. He stated that Microsoft never contacted him before the removal and that the issue could have been fixed in seconds had they done so.
“There was nothing malicious. I hadn’t updated the extension in years since I was focused on the new version, apart from the obfuscation process,” Astorino told BleepingComputer.
- The main issue stemmed from a build script unintentionally bundled into the distributed
index.jsfile. - The obfuscation process inadvertently included strings related to authentication, but they posed no security threat.
- The Sanity.io SDK, dating back to 2016, was the source of the flagged references, not any intentional backdoor.
Microsoft’s Apology and Policy Update
On March 12, Scott Hanselman, a prominent figure in the Visual Studio Code team, publicly apologized to Astorino on GitHub. He acknowledged that the extension’s removal was a mistake and confirmed that the publisher’s account had been reinstated.
“The publisher account for Material Theme and Material Theme Icons (Equinusocio) was mistakenly flagged and has now been restored,” Hanselman stated.
He admitted that Microsoft’s security protocols had triggered multiple malware detection indicators, prompting swift action. However, the investigation reached the wrong conclusion.
“In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion.”
Microsoft has now updated its policy on obfuscated code within Visual Studio Code Marketplace extensions to prevent similar incidents in the future.
Security Researcher Defends Initial Flagging
Despite Microsoft’s reinstatement of the extensions, cybersecurity researcher Amit Assaraf maintains that the flagged code did, in fact, contain malicious elements—though he concedes that Astorino did not include them with harmful intent.
“In this case, Microsoft moved too fast,” Assaraf told BleepingComputer.
However, he stood by the initial findings, arguing that the presence of obfuscation and potential execution capabilities warranted caution.
Extensions Are Now Safe to Use
Astorino has since completely rewritten the Material Theme extensions, removing any problematic dependencies. The updated versions, now available on the VS Code Marketplace, have been deemed safe for use.
With over nine million installs, the Material Theme extensions remain among the most popular customization options for VS Code users. Despite the controversy, Astorino’s work is once again accessible to developers worldwide—this time with Microsoft’s explicit approval.
