Material theme compromised? #1168
Comments
|
Posted 8 hours ago at the above link is this message from Microsoft below; reposting here to provide context missing from above.
|
|
Dear @gegtor nothing harmful was ever shipped within Material Theme. That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it's their fault) SEE They broke everything without ever reaching out to us for clarification. Removing the old dependency was a quick 30-second fix, but it seems that's just how Microsoft operates. We also ship an obfuscated We have now published a new theme that should have originally been called Material Theme Pro. This is a completely rewritten extension, offering more features and icons, and it has zero dependencies. Feel free to check it out to enjoy the same look and feel as the old Material Theme. |
LMAO that sounds even more suspicious. Why should the js ever exists and even obfuscated if most of user are not using it? and do you mean that someone accuse you for distributing virus in your open-sourced code and your response is removing all the open-sourced code, even clearing commit history and after all these chaos claiming your plugin is completely safe? I do not believe the discovery of malicious code in Material Theme at first, but now it seems reasonable just because you are having a guility conscience. Disclaimer: I didn't checked any code yet, and I hope it's just a misunderstanding so that none of us would be in danger. |
|
Theo states that he has "thoroughly audited the code base (nothing seemed malicious)" (source). Perhaps this is about an earlier commit tree, but it's unclear. This raises questions about what led Microsoft to pull the extension and ban the user. It's also concerning that the original author claims Microsoft has not reached out to him directly. Eager to hear more! |
Spoiler: the person who posted on hackernews and member of the vscode team is a friend or a direct contact of Theo, probably. They banned us directly, even the extensions that were not using the souspicius old dependency (@sanity). |
|
With all due respect, you created an open-source theme. I won't comment on the true effort and hours it takes to develop something like this, but it's only a few hundred lines of code that rarely need maintenance. After that, you transformed it into closed-source and made a scandal out of it. In the meantime, thousands of people who genuinely contribute to open-source projects do so without drama and never ask for anything in return. If you believe the universe is conspiring against you, perhaps it's time to take a breather and get some fresh air. |
|
@riverar Theo audited only the parts of the extension that were previously open-source. That is, before the author of the extension started rewriting the git history and made the actual extension closed-source. So, in fact, it is about the previous commit tree (which you can still find in plenty of the material theme forks). Additionally, you can find some more information about the original theme and it's author in https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you?tab=readme-ov-file#material-theme-but-i-wont-sue-you -TL;DR: He removed the Apache-License and then claimed it does not apply anymore (which it does), rewrote the Git-history multiple times (the last time today) and made multiple false claims based upon these rewrites. Lastly, only today he moved the corresponding repository from the material-theme organization to the fanny-theme organization (which at the time of writing is already deleted, but you can still find plenty of the elements in the now moved-back repository and the so-called initial commit), moved back the repo to the old organization whilst disabling issues and discussions in its entirety and, lastly, created a third organization for his theme (see also his update to his readme: equinusocio/equinusocio@bed6c1a). All this whilst still being officially banned from the extension-store according to this Microsoft-comment. I think all this should give a good perspective on who to trust here, how this all came together and played out. |
|
That is an excellent write up, @MrSubidubi -- as someone that has also been doing open source for a long time; actions from people like the author of Material Theme severely hinder the trust people have with open source. These are unfortunate and selfish actions. I don't know the author nor know their intents or if they are suffering of any conditions, hence Ill abstain from judging their character, but those actions are definitely not something we'd expect from open source maintainers. |
|
Microsoft explicitly stated that the licensing dispute between the author and the community did not influence their decision. While the situation isn't ideal, I still believe we're missing critical information that justifies removing or banning the content/user. @isidorn do you have a timeline for when Microsoft will share more information? |
|
And of course @equinusocio re-uploaded the compromised extension for the second time after being banned from the Marketplace here: https://marketplace.visualstudio.com/publishers/vira-theme If there's nothing wrong with the extension, surely you could wait until the dust has settled and some communication has been established with Microsoft explaining the supposed "suspicious dependency" and getting the ban lifted instead of circumventing the ban repeatedly. |
|
Where can I find the latest version of the extension pre-removal to do my own investigation into the source? |
|
equinusocio.vsc-material-theme-34.7.9.zip I didn't find anything malicious aside from it phoning home to get changelog |
|
I also have issues finding malicious things there despite all the red flags poking my eyes. At first glance the ReleaseNotes.js is the same as non-obfuscated version from forks like https://github.com/wpconsulate/lynkdom-material-theme/blob/099d17e95689dde9d229bf8770a72d33f140e30f/build/ui/release-notes.js#L4728 Code referencing passwords and logins is from unshiftio/url-parse |
|
Same @gegtor and @SlickDomique, i de-obfuscated it from the original marketplace zip prior to this event, and ran some scans on it with multiple tools - yielded no results. (js files only in this zip) I'm not sure why it got flagged, but assume there was good reason. Original author mentioned that a dependency was to blame, https://www.npmjs.com/package/@sanity/client/v/2.1.0 |
|
How do you stop the warning? I have deleted everything I can find that is related by name! |
|
|
Sean here from VS Code Marketplace. We take the decision to remove seriously and thoroughly verify any reports. To protect developers, we also prioritize speedy removal of positives. We've posted the reason for removal in RemovedPackages, where we plan to add any future removals as well. Thanks for helping to keep the marketplace safe for everyone. |
|
@seaniyer Just to confirm understanding of the reasoning
Can we interpret this as the VS Code Marketplace team trying to err on the side of pre-caution rather than having found concrete malicious code? If the team has any evidence for malicious code having already been included it would be important for the community to know as it would allow us to respond quicker in terms of clean up and checking our systems for further compromise. As i understand it from this reasoning as well as reports by other members of the community that while they did find questionable things, they did not find anything actually malicious (I didnt have time to check this myself yet). So I can understand the reasoning to take it down preemptively as with code being obfuscated and utilities included that seem unnecessary for the purpose of the extension potential of malicious code being secretly introduce in future updates exists. |
|
For anyone that wants look into this for themselves, I have the deobfuscated code published here: https://github.com/Yash-Singh1/material-theme-icons-deobf. Some of the deobfuscation might not be perfect, but it gets most of it done right. |
@seaniyer Hi Sean, I appreciate the team's work here, but I'm very concerned about the lack of substantial information. Your team cited a 'deep security analysis of the extension' finding 'multiple red flags that indicate malicious intent' and 'additional suspicious code.' Yet the only published reasoning mentions 'obfuscated code and unreasonable dependencies.' This disconnect is frustrating to say the least. Could you please share more specific findings to substantiate these serious claims? |
|
MS should have claim the plugin as "possibly malicious" instead of stating this heavy condemn if you only have unclear proof like this. Announcing it, a plugin used by millions, as malicious have already caused panic in the community. |
|
Also took a look. This is almost certainly a false positive and the 'scanner' that started this whole controversy seems quite ineffective (it puts the same security risk for ublock origin and an infostealer extension). Developer seems to have blown the benefit of the doubt with the apache shenanagins, but that led to this being blown out of proportion. |
|
After being targeted for a removal, the reasonable, good faith action that the developer should have taken would be to reach out to the VS Code team, putting himself at their disposal to address any issues they have identified. Instead, he created multiple different accounts in order to submit the same extensions in an attempt to circumvent the restrictions, and implicated the VS Code devs in a conspiracy to personally censor him. Even though it can be argued that there is no malicious code after deobfuscation (and I would argue that having obfuscated code which spawns child processes to download data for unnecessary reasons is malicious enough to warrant at least a preemptive removal and trigger an investigation), I think it's self-evident that not a single action taken by the developer after having his extension taken down was made in good faith with the goal to reinstate it for the millions of users it had. |
|
@gabs-invoicesimple take is exactly what I believe should be the direction people should be thinking of. To be fair, I'd really appreciate if the VS Code Marketplace team provided a deep postmortem, but having that said, the actions from the author of the extension alone are extremely concerning and outright violation of the terms of use. |
CC: @seaniyer At this point I believe its a necessity for the VS Code Marketplace team to provide more details about their claims and clarify what actual malicious code they observed. We have articles, blog posts, etc. about this popping up in various places this extension is/was installed on millions of devices. IF there was any malicious code actually executed then this would have serious security implications for anyone affected. As @std-microblock put it this is causing a panic, its also potentially wasting a bunch of time for people having to work on securing systems. |
|
I got one from https://open-vsx.org/extension/Equinusocio/vsc-material-theme Found some sanity usage inside |
|
Why do you all wanna waste time on the current maintainer if they aint the one created this!!!!!! |
Material theme was deleted due to malicious activity by Microsoft
Continuing from this https://news.ycombinator.com/item?id=43178831
Can we get explanation as to what happened?
Should we take steps to mitigate potential compromise?
I did a quick analysis of the extensions code and found it connecting to authors CMS to get latest change log which is sketchy but not malicious
The text was updated successfully, but these errors were encountered: