Hey there, how long has it been? A month since the last time we had millions of developers exposed to malware through a marketplace? Well, here we go again.
Say hello to the wolf in dark mode, “Material Theme”, an extremely popular VSCode theme extension, found to be containing malware underneath it’s beautiful color scheme.
So, what is going on?
Material Theme — Free, a theme extension for VSCode, which was installed 3,927,094 times by developers, was found to contain malicious code through a dependency. The theme is one of the most popular themes available on the VSCode marketplace to date, causing it’s removal to gather a lot of attention and concern from the developers community.
A deep analysis concluded that hiding inside it’s codebase are multiple red flags indicating malicious intent, since reported this extension was pulled from the VSCode marketplace, but it had enough time to expose ~4 million developers and countless organizations. The malicious code seems to be inside a dependency of the theme, which was compromised.
The publisher of this extension, Equinusocio, which lately was a subject of hot debate and controversy, is one of the most popular publishers on the store, having another extremely popular extension “Material Theme Icons — Free”, installed over 5 million times, which was also removed from the marketplace; Microsoft even went as far as to remove other publishers connected to Equinusocio’s real name, Mattia Astorino. Research is still being done to conclude if it also contains this malicious dependency.
The total installs the publisher, Equinusocio, has on all his extensions is a whopping 13,177,186 installs making the potential impact of this incident enormous and yet to be fully revealed.
Update 3/12/2025: The publisher has been restored to the marketplace after cleaning the extensions here. We appreciate that the publisher has removed the malicious dependency, and we’re glad to see that Microsoft has restored the theme to the VSCode marketplace. As always, we encourage organizations to exercise caution, particularly with non-critical marketplace items like themes.”
Damn.. So what’s next?
Firstly we recommend ensuring your environment has not been infected, you can leverage the IOCs copied below or contact us.
Even when we trust the developer of an extension, it’s crucial to remember that every version could be entirely different from the previous one. If the extension developer is compromised, or in this case, one of it’s dependencies, the users are effectively compromised as well — almost instantly.
This is a classic problem with software supply chain that we meet every day in large enterprises, how do you balance security and productivity? We’ve built our product to do just that, for practitioners and enterprises alike.
If you’d like to chat, hit us up here 🤙
IOCs
-tags-style-
