The post has been deleted: <a href="https://web.archive.org/web/20250226020241/https://github.com/material-theme/vsc-material-theme/discussions/1313" rel="nofollow">https://web.archive.org/web/20250226020241/https://github.co...</a>
Hi - Isidor here from the VS Code team.<p>A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us.
Our security researchers at Microsoft confirmed this claims and found additional suspicious code.<p>We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.<p>Expect an announcement here with more details soon <a href="https://github.com/microsoft/vsmarketplace/">https://github.com/microsoft/vsmarketplace/</a><p>As a reminder, the VS Marketplace continuously invests in security. And more about extension runtime trust can be found in this article <a href="https://code.visualstudio.com/docs/editor/extension-runtime-security" rel="nofollow">https://code.visualstudio.com/docs/editor/extension-runtime-...</a><p>Thank you!
Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"<p>The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.<p>Out of an abundance of precaution, I've taken the following action on my fork:<p>1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.<p>2. I have audited the code base thoroughly (nothing seemed malicious)<p>3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.<p>The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)<p>Repo is here if anyone else would like to audit <a href="https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you">https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you</a>
Curiously, someone on reddit noticed suspicious changes in this extension <i>7 months ago</i> [1]. Obfuscation in open source is usually an extreme red flag. Microsoft really needs to rethink their security model for vs code extensions. It has simply become way too profitable to target given whatever they are doing against it. For every dev they ban 10 will come with new malicious extensions.<p>[1] <a href="https://www.reddit.com/r/vscode/comments/1eq40o2/has_the_material_theme_extension_been_compromised/" rel="nofollow">https://www.reddit.com/r/vscode/comments/1eq40o2/has_the_mat...</a>
Reading the commentary, this guy seems unhinged. He thinks he owns literal hex codes<p>he sucks at tech and has driven away everyone good at it. I don't use his software, but I hope he gets out of this episode soon (and learns he didn't invent material!)
Someone uploaded a replacement, Material Theme (But I Won't Sue You)<p><a href="https://marketplace.visualstudio.com/items?itemName=t3dotgg.vsc-material-theme-but-i-wont-sue-you" rel="nofollow">https://marketplace.visualstudio.com/items?itemName=t3dotgg....</a>
What is it about material themes that does this to people? The same kind of thing happened to the IntelliJ one half a decade back.<p>At least that one wasn't literally just colours.
Can anyone help point out where in the repo the malicious part was? Can't find it.<p>Found the obfuscated code here <a href="https://web.archive.org/web/20250226020241/https://github.com/material-theme/vsc-material-theme/discussions/1313" rel="nofollow">https://web.archive.org/web/20250226020241/https://github.co...</a>
I'm quite happy that nowadays most tools have competently made themes out of the box, so that if someone wants to minimize risks from something like this and keep the extensions/addons they install to a minimum, that's pretty viable.<p>Of course, it's also nice that it's possible to theme the software to such a degree and improve usability and accessibility in some cases, just that the feature requests about limiting permissions need to be addressed.
One of the things I love about the internet is learning how different people can be, I perceive it as different than me but I assume everyone has their quirks.<p>In this case, this is one of the most extreme instances of people installing lots of dependencies. The moment I realized something was different in me was left pad, I already felt that couldn't be me.<p>The log4j incident hit me different, it COULD have easily been me. A security vulnerability is like death or a terminal illness in my eyes. Successful companies that scale do so without incidents, If you are running a company and you have a vuln you are out of the race. So I tightened up a lot after that.<p>I realize something similar with sex I just can't fathom putting my whole life on the line just to have sex with somebody and then have nothing to show for it, no relationship, nothing.<p>And today we see this, people are really risking their companies, their reputation, their pride to have pretty colors on their IDE.<p>I used to fight it, try to convince people, of course I still keep the pride of being different and weary, but in the end, you will likely be fine, and I only hold a statistical advantage, both are valid strategies of going about life I guess.
If you do a bit of a repo dive, the repo was initially MIT licensed from its initial commit for at least a couple of years before that license was replaced by Apache 2.0, so there's an argument to be made that that license also applies.
Another creator gone off the deep end apparently?<p>> reading the review responses by the creator, I don't really trust it anymore. Being rude to others who are concerned over the recent move to closed-source (and without warning!) is pretty disheartening.<p>> So, uh, the guy who made the VS Code Material Theme is threatening everyone who uses it in their products. He seems to have forgotten it was originally licensed under the Apache License, 2.0.. He wiped the commit history to make it look like it was always his weird fake license.<p>Real messy. It’s always shocking to me how little people realize - or care - how their behavior - especially their treatment of others reflects on them.
This appears to be the original source code, before the change to the license and suspicious code:<p><a href="https://github.com/Dramaga11/vsc-material-theme">https://github.com/Dramaga11/vsc-material-theme</a>
I found the malicious javascript (messages.js) file and put it in a Pastebin for anyone to analyze <a href="https://pastebin.com/yY1X0LiD" rel="nofollow">https://pastebin.com/yY1X0LiD</a><p>obviously its obfuscated by the guy originally
Are these the same developers? <a href="https://plugins.jetbrains.com/plugin/8006-material-theme-ui" rel="nofollow">https://plugins.jetbrains.com/plugin/8006-material-theme-ui</a>
It appears Microsoft released their 'detailed announcement' - it's just a one-sentence fragment in a Markdown file: <a href="https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md">https://github.com/microsoft/vsmarketplace/blob/main/Removed...</a><p>I'm increasingly suspecting there was nothing actually wrong with the extension, and Theo and others may have simply demolished an open-source developer's reputation primarily because they found him difficult to collaborate with.<p>This is nuts.
from a quick deobfuscation of some of the code, i can't see anything wrong with it? i think this is just a case of obfuscated code being against the VS Code guidelines. the guy clearly wanted people to buy his pro version so maybe that's why he obfuscated all the code in the extension
In VS Code linux is very annoying the message that appears as a notification "We have uninstalled..." I try to remove the extension and after a few seconds it appears again and again. I think I have to use another IDE for today, fix this guys. PLS
the "we took this down for security" is such a tempting _acceptable_ form of censorship.<p>My bank does this for my suspicious transactions, with a near %100 false positive rate.
it is very annoying the message that appears in VS Code linux, "We have uninstalled 'equinusocio..." please guys fix this. I have tried to uninstall the extension but magically it appears again, for today I have to use another IDE because of how annoying it is...
Looks like he's responded to it here. Delusional maniac? (Also, don't download and install that file he links)<p><a href="https://github.com/material-theme/vsc-material-theme/discussions/1314">https://github.com/material-theme/vsc-material-theme/discuss...</a>