Microsoft has reinstated the ‘Material Theme – Free’ and ‘Material Theme Icons – Free’ extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn’t actually malicious.

The two VSCode extensions, which count over 9 million installs, were pulled from the VSCode Marketplace in late February over security risks, and their publisher, Mattia Astorino (aka ‘equinusocio’) was banned from the platform.

“A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us,” stated a Microsoft employee at the time.

“Our security researchers at Microsoft confirmed this claim and found additional suspicious code.”

Researchers Amit Assaraf and Itay Kruk, who were deploying AI-powered scanners seeking suspicious submissions on VSCode, first flagged them as potentially malicious.

The researchers told BleepingComputer that their high-risk evaluation for Material Theme arose from what was detected as the presence of code execution capabilities in the theme’s “release-notes.js” file, which was also heavily obfuscated.

Astorino immediately objected to the allegations and the removal of his extensions from the VSCode Marketplace, alleging that the problem comes from an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS.

The publisher said that they could have removed this dependency from the themes in seconds if Microsoft had contacted them, but instead, they saw themselves getting banned without warning.

“There was nothing malicious. I hadn’t updated the extension in years since I was focused on the new version, apart from the obfuscation process,” Astorino told BleepingComputer today via email.

“The only issue was a build script that ended up in the distributed index.js (referring to Material Theme Icons). This script was used to generate JSON files after pulling SVG icons from a closed-source repository—something I removed a long time ago.”

“Regarding Material Theme, the obfuscation process unintentionally included the sanity.io SDK client, which contained some strings referencing passwords or usernames (the auth client). However, these were not harmful—just a result of a flawed build process made long time ago.”

Extensions back in VSMarketplace

Microsoft’s Scott Hanselman apologized to Astorino yesterday in a GitHub issue opened by the developer asking for his account and themes to be reinstated.

“The publisher account for Material Theme and Material Theme Icons (Equinusocio) was mistakenly flagged and has now been restored,” reads Hanselman’s post.

“In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion.”

“Again, we apologize that the author got caught up in the blast radius and we look forward to their future themes and extensions. We’ve corresponded with him and thanked him for his patience,” continued Hanselman.

Additionally, Hanselman stated that the Visual Studio Code Marketplace will update its policy on obfuscated code and update its scanners accordingly to avoid quickly acting upon projects in the future.

When asked by BleepingComputer about this development, cybersecurity researcher Amit Assaraf continued to claim that the extension did contain malicious code. However, there was no malicious intent from the publisher, commenting that “in this case, Microsoft moved too fast.”

According to Astorino, the Material Theme extensions on the VSCode marketplace have been completely rewritten and are safe to use.