- Security researchers found malicious code hiding in two VSCode extensions
- Microsoft quickly pulled them and notifies users
- The developer criticized Microsoft’s move, saying they were never consulted
Microsoft has pulled two popular VSCode extensions from its marketplace after finding malicious code hiding inside. However, the original developers don’t seem to be the culprits, and have slammed Microsoft for its harsh reaction which, they claim, caused more harm than good.
Two security researchers – Amit Assaraf and Itay Kruk – used a specialized scanner to analyze extensions in Visual Studio Marketplace, and have found obfuscated malicious code in “Material Theme – Free” and “Material Theme Icons – Free”, two extensions built by one Mattia Astorino (AKA equinusocio).
BleepingComputer analyzed parts of the code and said that in the “release-notes.js” files in the theme, there was “heavily obfuscated JavaScript, which is always a red flag in open-source software.” Apparently, they managed to partially deobfuscate the code, which “showed numerous references to usernames and passwords”, but couldn’t determine the context in which they were being mentioned.
Microsoft’s move
Assaraf added the malicious code was most likely added in an update, suggesting either the developer’s account was compromised, or the malware was added in a supply chain attack.
Since the two extensions have roughly nine million downloads, combined, Microsoft’s reaction was swift: “Microsoft removed both extensions from the VS Code marketplace and banned the developer,” a Microsoft employee said in YCombinator’s Hacker News.
“A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.”
“We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity – the removal had nothing to do about copyright/licenses, only about potential malicious intent.”
Astorino acknowledged the findings, but also criticized Microsoft for not reaching out to him first:
“Nothing harmful was ever shipped within Material Theme,” he said in a post on Microsoft’s VSMarketplace repository. “We just had an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS, that was the only issue they found.”
“That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it’s their fault)”
“They broke everything without ever reaching out to us for clarification. Removing the old dependency was a quick 30-second fix, but it seems that’s just how Microsoft operates. We also ship an obfuscated index.js file that contains all the theme commands and logic. It’s obfuscated because the extension is now closed-source; however, if you delete it, the extension will still function with plain JSON files.”
In an even quicker counter-move, Astorino completely rewrote the extension without any dependencies, and named it “Fanny Themes”, but Microsoft allegedly removed that one too.
Via BleepingComputer
Leave a comment