Microsoft removed two widely-used extensions from the Visual Studio Code marketplace — Material Theme – Free and Material Theme Icons – Free — after security researchers Amit Assaraf and Itay Kruk discovered obfuscated executable code in what should have been static theme files. The extensions had accumulated nearly 9 million downloads combined before removal. BleepingComputer’s full coverage details the scope of the investigation.
Security Investigation Reveals Sophisticated Code Injection
Security researchers Amit Assaraf and Itay Kruk conducted an in-depth analysis that uncovered suspicious code implementations introduced through recent updates. The investigation revealed a possible supply chain attack or developer account compromise, particularly concerning given that theme extensions should only contain static JSON files rather than executable code.
Technical Analysis of the Security Breach
The security team identified heavily obfuscated JavaScript code within the release-notes.js files. Microsoft’s subsequent investigation confirmed the presence of additional suspicious code patterns, leading to the immediate suspension of the publisher’s account and the removal of all associated extensions from the VS Marketplace. The company implemented an automatic deactivation protocol for these extensions across all installed VS Code instances.
Developer Response and Dependency Concerns
Extension creator Mattia Astorino attributed the security issue to an outdated sanity.io dependency used for rendering release notes. While this dependency had passed security checks since 2016, recent evidence suggests possible compromise. An attempt to republish the extensions under the name “Fanny Themes” was also blocked by Microsoft as a precautionary measure.
Developers with these extensions installed need to act now
VS Code automatically disabled these extensions across all installations, but manual removal is recommended. Remove the following publisher’s extensions from your VS Code:
equinusocio.moxer-themeequinusocio.vsc-material-themeequinusocio.vsc-material-theme-iconsequinusocio.vsc-community-material-themeequinusocio.moxer-icons
Beyond removal, developers should audit any VS Code extension that contains JavaScript execution logic (not just static JSON/CSS) — particularly those that handle release notes rendering or call external APIs. Microsoft has committed to publishing a post-incident analysis in the VSMarketplace GitHub repository. Going forward, treat extension updates with the same scrutiny as dependency updates in production code: check changelogs, review permissions, and monitor for unexpected network calls.
