Thursday, May 8, 2025
Homecyber securityVS Code Extension with 9 Million Installs Attacks Developers with Malicious Code

VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code

Published on

SIEM as a Service

Follow Us on Google News

Microsoft has removed two widely-used Visual Studio Code (VS Code) extensions, “Material Theme Free” and “Material Theme Icons Free,” from its marketplace after cybersecurity researchers discovered malicious code embedded within them.

These extensions, developed by Mattia Astorino (also known as equinusocio), had amassed nearly 9 million installations combined, with Astorino’s total extension downloads exceeding 13 million.

Following the removal, users received alerts notifying them that the extensions had been disabled for security reasons.

- Advertisement - Google News

The investigation revealed that the malicious code was likely introduced through a compromised dependency or during a recent update.

This suggests a possible supply chain attack or unauthorized access to the developer’s account.

Researchers noted that themes like these should typically consist of static JSON files and not execute any code, making the presence of obfuscated JavaScript in the extensions a significant red flag.

Malicious Intent Uncovered

The malicious behavior was initially flagged by cybersecurity experts Amit Assaraf and Itay Kruk, who specialize in detecting harmful VS Code extensions.

The analysis revealed heavily obfuscated JavaScript code in the extensions, which included references to usernames and passwords.

Although the exact purpose of this code remains unclear due to its complexity, its presence was sufficient to warrant immediate action by Microsoft.

Astorino has denied any intentional wrongdoing, attributing the issue to an outdated Sanity.io dependency used since 2016.

He criticized Microsoft for not notifying him before removing the extensions, claiming that fixing the dependency would have been a quick process.

However, Microsoft’s independent analysis corroborated the researchers’ findings, leading to the removal of all extensions associated with Astorino from the marketplace.

Potential Risks and Recommendations

The incident underscores the risks posed by malicious components in software supply chains.

Threat actors often exploit open-source platforms like VS Code Marketplace to distribute harmful code under the guise of legitimate extensions.

In this case, developers who installed these compromised extensions may have unknowingly exposed sensitive information or systems to potential breaches.

To mitigate risks, developers are advised to uninstall all extensions published by equinusocio, including:

  • equinusocio.moxer-theme
  • equinusocio.vsc-material-theme
  • equinusocio.vsc-material-theme-icons
  • equinusocio.vsc-community-material-theme
  • equinusocio.moxer-icons.

This incident highlights the importance of scrutinizing third-party dependencies and maintaining robust supply chain security practices.

Developers should regularly audit their tools and avoid extensions with suspicious or obfuscated code.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...