Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Query regarding extensions wrongly flagged as malicious and removed from vscode marketplace #1116

Closed
ritwickdey opened this issue Jan 11, 2025 · 2 comments
Closed

Query regarding extensions wrongly flagged as malicious and removed from vscode marketplace #1116

ritwickdey opened this issue Jan 11, 2025 · 2 comments

Comments

@ritwickdey
Copy link

I noticed that many extensions have been removed from the VS Code marketplace after being wrongly flagged as malicious.

This raises some important questions:

  • How many extensions have been affected in total?
  • Does the VS Code team automatically take action to recover these extensions, or do publishers need to report the issue first? If the latter, why not send an official email to all publishers to ask them to check?

ritwickdey/vscode-live-server#3061
#1113
#1114
#1115
@mariaghiondea
Copy link
Contributor

mariaghiondea commented Jan 11, 2025
edited
Loading

Thank you for expressing these thoughts, @ritwickdey

For a bit of context, my team (the Visual Studio Marketplace team) is doing a focused effort on security and looking for ways to become more proactive in the space, as well as react to existing threats. As part of that, we were scanning all extensions and discovered that 45 of them had older versions that needed to be removed. They were flagged as malicious because they contained the flatmap-stream npm package that is known bitcoin mining malware.

Due to miscommunication, this resulted in the removal of several extensions were only the older versions were flagged, and only those should have removed.
This affected your extension as well.

We realized it a few hours after and started taking action. This included communication to all package owners affected and trying to recover the extensions.
At this time, latest version for these extensions is recovered and install counts restored. We will work to bring back other stats too, during business hours next week.

This caused a lot of disruption for the community, and for the team.
We greatly appreciate everyone’s patience and help!

We are currently doing an RCA. We are already implementing some of the repair items, to:

  • Increase transparency by communicating such impactful actions to the publishers and community before we take them and after we take them
  • Prevent the wrong action to be taken and look for gradual progression towards irreversible action
  • Improve the ability to recover data (more, faster, easier)

Please let me know your thoughts and feedback. We'd love to use it in our RCA!

@madhurivadaligithub
Copy link

We sincerely apologize for the inconvenience. And really appreciate your patience.
The latest version of the extension has been successfully recovered.
At this time, the install count has also been restored.

Regards,
VS Marketplace Team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mariaghiondea @ritwickdey @madhurivadaligithub