Microsoft restored the “Material Theme” and “Material Theme Icons” additions in the catalog of Visual Studio Marketplace, totaling 3.9 and 5.4 million installations, and also removed the lock from the developer account. Two weeks ago, these additions were deleted due to the identification of harmful code. It was later discovered that this removal was a mistake caused by a false trigger during verification.
Representatives of Microsoft apologized to the affected developers and acknowledged that they acted hastily in an attempt to quickly protect users from a potential threat, relying on the operation of multiple malware detectors in the code. To prevent similar incidents in the future, Microsoft will clarify their policy regarding focused code and update their scanning systems and investigation process.
The additions were suspected of spreading malicious code due to obscured inserts, which caught the attention of employees at Extensiontotal, a company that developed AI tools for scanning malware in VSCODE. They raised concerns about the presence of these inserts and reported their suspicions to Microsoft.
For instance, suspicious code was found in the Release-notes.js file, which should only contain static JSON files. Partial decoding of these hidden blocks revealed usernames and passwords. Microsoft’s security researchers confirmed these findings, leading to the removal of the additions and the blocking of the author’s account.
Following the block, the author of the additions published objections to Microsoft’s actions, stating that their projects did not contain malicious code and that the presence of obscured blocks was not a valid reason for removal. The issue stemmed from client code from SDK Sanity.io that inadvertently included login and password information within the hidden block due to an old assembly script used in file generation.
The author stated that if Microsoft had informed them of the problem, it could have been resolved quickly. Instead, Microsoft unexpectedly blocked the additions and their account without prior notice. It took two weeks for the additions to be reinstated following the realization of the mistake.