Visual Studio Code extensions with 9 million downloads removed for security risks

Microsoft recently removed two popular VSCode extensions, Material Theme – Free and Material Theme Icons – Free, from its Visual Studio Marketplace. This is because the extensions may contain malware.

Microsoft has removed the two popular VSCode extensions Material Theme—Free and Material Theme Icons—Free, with nearly 9 million installs, from its Visual Studio Marketplace following investigations by outside security experts.

The security experts discovered several indications in their investigation that the extensions may contain malware. The malicious code was allegedly introduced in an update to the extensions, which could indicate a supply chain attack via a dependency or that the publisher’s account was compromised.

Schermafbeelding van een risico-evaluatie voor de Material Theme-extensie, met een hoge risicoscore met zorgen over schadelijke activiteiten, actieve code, niet-geverifieerde uitgever en verhulde code.

In their research, the experts stated that a theme should always consist of static JSON files and not run any code. However, the extensions found that the release-notes.js files in the theme contained heavily hidden JavaScript. For open-source software, this is an indication that something is wrong.

Schermafbeelding van Kladblok met zwaar verhulde JavaScript-code in het bestand release-notes.js.

The researchers managed to view some of this hidden code and noted several references to usernames and passwords. What these referred to is not known.

Microsoft confirms

Microsoft investigated the VSCode extensions and came to the same conclusion. The tech giant also discovered more indicators of malware. The extensions were then immediately removed from the US Marketplace. The extensions were also removed from all VSCode instances on which they were running.

The tech giant will soon release more details about the malicious extensions and possible malicious activity in the VS Marketplace GitHub repository.

Response from publisher VScode extensions

Microsoft has since banned Mattia Astorino (aka equinusocio), the publisher of both VSCode extensions. The publisher had more than 13 million installs and was thus a major player.

Commenting on GitHub, Astorino indicated that the possible malware indication was a bug that had been overlooked since 2016. More specifically, it would involve an outdated sanity.io dependency showing release notes from a Sanity headless CMS. This error would have been fixed within 30 minutes.

The publisher further reacted furiously to Microsoft’s decision, stating that they have now caused problems in VSCode for many users.

Mattia Astorino later published a completely rewritten extension without dependencies called Fanny Themes in the VSCode Marketplace, in his own words. This was immediately removed by Microsoft.

Also read: VSCode Marketplace contains thousands of malicious extensions

Whitepapers

Visual Studio Code extensions with 9 million downloads removed for security risks

Microsoft confirms

Response from publisher VScode extensions

Stay tuned, subscribe!

Oracle introduces AI Agent Studio for Fusion Cloud Applications

Nvidia GTC 2025 roundup: Blackwell Ultra, HPE, Cisco and more

ServiceNow makes Now platform AI-driven and adds thousands of AI agents

IFS grows like crazy despite AI strategy with the handbrake on

SAP’s board exodus: Mueller, White and Russell are gone

Infor Now 2023: Industry-specific ERP, now with RPA

GovKube 25

IT Master in één Dag

Atlassian Team ’25

VeeamON 2025

GITEX ASIA

SAS Innovate 2025

AI & Data Architect

Senior Account Solution Architect

Cloud Account Executive – Slack

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices

Are you data and AI ready?

Technology 2023: Four areas of focus