Extension apollographql.vscode-apollo disappeared from VSCode Marketplace and "Manage Extensions" screen

[phryneas]

Describe the bug

We just noticed that our extension apollographql.vscode-apollo has disappeared from the VSCode Marketplace.
The extension had over 500k installations.

We searched all related email accounts and it doesn't seem that we were contacted in any way about this - has it been deleted from the marketplace on accident?

To Reproduce

Visit https://marketplace.visualstudio.com/items?itemName=apollographql.vscode-apollo - the extension should be there, but it leads to a 404.

Expected behavior

The extension should be listed in the marketplace and available for download in VSCode

Screenshots

I still have a local installation - we last published an update on Dec 12 2024.

[ivankravets]

The same issue with https://marketplace.visualstudio.com/items?itemName=platformio.platformio-ide

Over 4,500,000 unique installs and the extension has been removed :(

[mariaghiondea]

These extensions and a few others were removed from the Visual Studio Marketplace as versions were flagged as malicious. We will be working with owners to bring them back.

[bignimbus]

Will existing users of the extension be able to seamlessly get updates when we complete the steps to get it restored? E.g. if a user installed a prior version of the software, will they be able to get automatic updates when we restore and publish future versions? @mariaghiondea @madhurivadaligithub

[bignimbus]

Our team did receive an email but it was somewhat vague - is there a way we can get more information on what precisely caused our extension to be flagged? We do actively maintain our dependencies and publish regularly, so I'm confident that we can build the necessary automation to ensure that we scan for any dependencies that might cause a similar issue in the future.

[mariaghiondea]

We are working on a solution to restore the extensions. I will update this thread as we make progress.

[mariaghiondea]

Our team did receive an email but it was somewhat vague - is there a way we can get more information on what precisely caused our extension to be flagged? We do actively maintain our dependencies and publish regularly, so I'm confident that we can build the necessary automation to ensure that we scan for any dependencies that might cause a similar issue in the future.

Several versions of the extensions removed, contained a package (flatmap-stream npm package) that is known bitcoin mining malware.

We are working on a solution to restore the extensions and stats.

[phryneas]

Several versions of the extensions removed, contained a package (flatmap-stream npm package) that is known bitcoin mining malware.

@mariaghiondea looking at our lockfile that has not been the case. You probably have an error in your metrics there.

[bignimbus]

Thank you for the details!

We are working on a solution to restore the extensions and stats.

Apologies, I don't quite understand the implication here - does this mean we will not need to take action on our part?

[mariaghiondea]

Thank you for the details!

We are working on a solution to restore the extensions and stats.

Apologies, I don't quite understand the implication here - does this mean we will not need to take action on our part?

No action needed. We are working to bring back the extension and stats.

[mariaghiondea]

The extension (latest version) was reuploaded successfully.
We will be updating stats next and updating you once done.

[flaviogheri]

Apologies, not sure if I'm doing something wrong, however Vscode tells me that the PlatformIO extension isn't available for Linux ( I have Ubuntu 24.04 installed). Should I install the PlatformIO core instead ? Thank you :)

[mariaghiondea]

Apologies, not sure if I'm doing something wrong, however Vscode tells me that the PlatformIO extension isn't available for Linux ( I have Ubuntu 24.04 installed). Should I install the PlatformIO core instead ? Thank you :)

It should work now. See #1114 (comment)

[mariaghiondea]

I've been posting this across our different threads, so I wanted to share it here too:

For a bit of context, my team (the Visual Studio Marketplace team) is doing a focused effort on security and looking for ways to become more proactive in the space, as well as react to existing threats. As part of that, we were scanning all extensions and discovered that 45 of them had older versions that needed to be removed. They were flagged as malicious because they contained the flatmap-stream npm package that is known bitcoin mining malware.

Due to miscommunication, this resulted in the removal of several extensions where only the older versions were flagged, and only those should have been removed. This affected your extension.

We realized it a few hours after and started taking action. This included communication to all package owners affected and trying to recover the extensions.
At this time, latest version for these extensions is recovered and install counts restored. We will work to bring back other stats too, during business hours next week.

This caused a lot of disruption for the community, and for the team.
We greatly appreciate everyone's patience and help!

We are currently doing an RCA. We are already implementing some of the repair items, to:

• Increase transparency by communicating such impactful actions to the publishers and community before we take them and after we take them
• Prevent the wrong action to be taken and look for gradual progression towards irreversible action
• Improve the ability to recover data (more, faster, easier)

Please let me know your feedback. We'd love to use it in our RCA!

[ivankravets]

Thanks for the update! The restored installation stats look good. I assume Microsoft has backups of the Marketplace.

So, how long will it take to recover the reviews for PlatformIO IDE?

[phryneas]

@mariaghiondea thank you for the update!

In our case, we know of a bunch of users that prefer to run older versions of the extension, as changes we introduced in v2 caused problems for their workflows.
While we are working on identifying and fixing those problems to enable those users to upgrade, it has been very valuable that these users could still install old versions of the extension from the marketplace.

At this point, we could probably rerun the CI jobs that compiled and submitted these old versions to have them re-added to the marketplace, but before we do that, I want to verify a few things:

• Is it possible at all to upload older semver versions to the marketplace?
• If we upload older semver versions to the marketplace, will these only show up as "old" while the "highest" release still counts as the most current release and will be the default download?
  We would want to prevent users accidentally downloading these old versions, they should explicitly opt into that.
• Was the flatmap-stream package the only cause for this or do we have to double-check for other packages as well? We would want to avoid this whole situation repeating itself.

For reference, we already addressed flatmap-stream back on Nov 27, 2018 and we do not plan on restoring versions of the extension that are that old.

[mariaghiondea]

It should be possible to do all those steps. Please reach out to us if you encounter any issues at [email protected].
That package was the only cause for this.

Thank you again!

[madhurivadaligithub]

Hi @phryneas / Team,

We sincerely apologize for the inconvenience and truly appreciate your patience.
We have completed the recovery of the latest version, including stats (installs, ratings & reviews, Q&A).

Regards,
VS Marketplace Team