Microsoft Restores Material Theme Extensions After False Security Flag

Microsoft re‑listed the "Material Theme - Free" and "Material Theme Icons - Free" extensions on the Visual Studio Marketplace after they were mistakenly removed.

The two extensions, with over 9 million installations, were taken down in late February due to perceived security risks, and their publisher Mattia Astorino (also known as "equinusocio") was banned from the platform.

A Microsoft employee explained that a community member performed an in‑depth security analysis, identified multiple dangerous signals of malicious intent, and reported the findings to Microsoft; the company’s security researchers confirmed the concerns and discovered additional suspicious code.

Researchers Amit Assaraf and Itay Kruk deployed an AI scanner to search for suspicious commits in VSCode projects, and the scanner was the first to flag the Material Theme extensions as potential malware.

The high‑risk assessment stemmed from the theme’s release‑notes.js file, which contained code‑execution functionality and was heavily obfuscated.

Astorino argued that the issue originated from an outdated sanity.io dependency used since 2016 for displaying Sanity Headless CMS release notes.

He stated that, had Microsoft contacted him, the dependency could have been removed within seconds, but instead the account was banned without warning.

Astorino clarified that there was no malicious behavior: the only problematic component was an old build script in the distributed index.js (for Material Theme Icons) that generated JSON from a closed‑source SVG repository; the obfuscation unintentionally bundled the sanity.io SDK client, which contained some credential‑like strings, but these posed no real threat.

Microsoft engineer Scott Hanselman later apologized on a GitHub issue, acknowledging the false positive, confirming that the extensions are safe and have been restored, and promising to clarify the policy on obfuscated code while improving the scanning process to prevent similar incidents.