Asking for Equinusocio publisher restoration and relative extensions, censorship and shady discriminatory microsoft moves #1173
Comments
|
For anyone wanting to reveal a real 🤡 here, check "This VS Code theme is threatening people?" video on YouTube. History doesn't lie, dude. And even assuming it was a false positive report that caused this, I'm personally still happy this happened and hopefully, you and anyone else like you will learn their lesson from it. EDIT: OP has removed his mocking reference since I posted this, as he usually behaves. Thankfully, there's the "Edits" dropdown in the post's header, which allows you to check the post's history. |
|
Put the author's previous bad interactions with the community aside, there's nothing wrong with him choosing to close source and distribute obfuscated scripts instead. People do this all the time. While Microsoft has the right to ban someone for any reason, calling it malware is a very serious accusation. |
|
The "cloned" (forked) extension is different in a few distinct ways:
You've edited this post over 16 times in the past 12 hours @equinusocio. You need to go offline man, you're not doing well. |
|
open-source vscode ext & theme should be signed & provide provenance how they were built. this would put my nerve at ease. |
Theo, you should refrain from participating in this matter. You have a history of sending your community into a frenzy and exacerbating situations with superficial information and hasty conclusions. For instance, you posted an entire blog labeling this individual as dangerous and claiming that you were doing so for SEO purposes. It’s evident that you shouldn’t be involved in this matter at all. You cannot insert yourself as the hero in this story for clout; the guy is obviously spiraling. Empathy goes a long way. It’s clear that the VSCode team made a significant choice here, and throughout the process, they have provided no substantial information or analysis. In contrast, when Apple decided to remotely uninstall Zoom, they released a detailed report of their findings. The VSCode team has offered nothing of substance. Part of running a platform is separating personal feelings of the developer from the objective truth of the matter. All third-party analysis conducted thus far indicates that this was a false positive. The issue is simple: publish your findings to certify the reason for the ban (and the criteria you use to determine when to remotely modify users VSCode instances), or unban the developer. |
Why should Theo refrain when the issue author had accused him of ridiculous claims? If the issue author didn't bring Theo up to the issue, then Theo could have refrained. As a third party to this case (and as a lawyer), Theo has every right to say his piece when he is mentioned. Or the issue author should retract of any mention of Theo. The issue is still under investigation. |
Then you should be able to recognize tortious interference. Despite Theo learning more information on a live stream that this most-likely isn't malware, he doubled down and called for the end of the extension authors career based solely on his personal dislike of him from past interactions, going as far as posting a blog with these unproven claims and boosting that blog so it comes up when you Google the author. This is an attempt to canonize something that as you stated, is still under investigation. Any interactions between these parties only serves to exacerbate the situation further. I think the author should remain silent as well, if this turns out to be based on false-positive reports without proper investigation then he can make a pretty strong claim of defamation against a few different parties to this issue. All he has to do right now is nothing. In the meantime, I would love to know why there still hasn't been any material disclosure. Millions of VSCode instances were remotely modified, was there a branch / threat or not? |
equinusocio
changed the title
|
The fact that this extension got pulled, and the developer got banned, while containing no malicious code is wild to me. I hope we get an update from microsoft. |
|
I support the VS Code team's action due to potential risks and user safety concerns. He has engaged in several improper actions that should indeed be condemned, such as modifying the Material Theme License(trying to hide the fact that the project is opensource) and force pushing commits to overwrite other contributors' work. But now that he has made the source code public, I think the VSCode team should provide a convincing reason for continuing to block his account; otherwise, it appears somewhat unfair. |
|
First, we must understand the perspective of the Microsoft team. They can (and should) suspect an extension and remove it from all devices. The key point is the word “suspect.” If they detect many red flags and believe it is sufficiently suspicious, they should take it down immediately without notifying the extension’s developer or owner. The reason they shouldn’t contact the developer before taking down the extension is that they do not know the content of the obfuscated code. Of course, they could deobfuscate it and review the main code, but that is suspicious enough to warrant its removal. Imagine if this were a potential threat and the Microsoft team decided to contact the developer or owner, even though there are already enough red flags to justify taking it down. It is impossible to know if they would execute something using the suspicious code. The Microsoft team should also consider the actions of the developers and owners. Another point is that we should not make definitive accusations without certainty. Even if you dislike—or even hate—the developer, you should not make random accusations without proof that the code is indeed malicious (I'm not referring to mere suspicion, but to cases where the code is directly attacking, damaging, or stealing from the user). In my opinion, this decision is spot on, and the Microsoft team should investigate the extension while it is unavailable to the public. Regarding the actions of Theo and the Microsoft team, they did not claim that the developer’s purpose was to ship a malicious extension to hack or attack users. Instead, they shared their concerns, potential risks, and what happened overall. If I miss any point or share misinformation without being aware of the most recent events (even though I have read everything and have been watching closely from the start), please let me know, as I do not want to accuse or spread false information that could damage either party or any individuals. |
Theo did make public statements saying it was malware on more than one occasion. I’m sure others can point to other instances, as well as gloating that the developers career is “over.” 
The team acted in a way that has irrevocable consequences; you can’t reinstall the extension for users or repair the developers reputation - there should have been a proper confirmation of a threat and disclosure. None of that happened, and here we are looking for transparency. None of this should be handled based on vibes. Edit: And also saying he won’t correct those statements until he receives an apology.
|
|
Nuked a perfectly open source theme... sure buddy, sure. |
I really can't understand why someone would submit obfuscated code, even worse with
Just because people do bad things all the time doesn't means others can follow the example without consequences. And asking to "put the author's previous bad interactions with the community aside" seems not a reasonable thing to ask. Bad interactions also talk. |
I covered this at length here. According to the initial post that triggered all this, there weren't any 'exec' calls. The automated analysis was very opaque. |
|
This will be my only and final comment to prevent this serious discussion from turning into a circus of clowns. A certain individual named Theo—whom I do not know, have never spoken to, interacted with, or even responded to his public accusations—is not the focal point of this issue. He is pursuing his own personal crusade against... something, entirely on his own. The fact that he claims to want an apology from me (for what exactly?) says more about his personal agenda than any valid argument. In fact, his demand for an apology seems to carry more weight than the actual content of his videos. This is nothing more than a personal stance, entirely devoid of facts or evidence.
That said, the real purpose of this official request is to expose the questionable actions taken by Microsoft—banning and censoring an individual while publicly associating them with criminal activity without a shred of concrete proof, while allowing other "malicious" extensions (Theo's fork prior v35) still published. Let's keep the clowns out of this serious, adult discussion. To Those Complaining About My Edits:
|
|
Ngl I find this kinda funny. @equinusocio Jokes aside though, why did you edit your initial post 52 times in the past 2 days? |
He already said the reason why did he do that, and I completely agree with him about that, as a non English native speaker (this language is my 3rd language). So to make the statement "clear", me - myself do the same thing a lot! @equinusocio Second, till MS show their real "evident" and have official report, I think you should take a rest several days. Take a good nap, eat healthy foods to make your "brain" fresh. And don't think about some random guy named "Theo" or whatever...we have more importance things to do than argument with random why we don't event meet or talked. @microsoftopensource |
|
I also find infuriating that anyone can just in a matter of seconds completely shun someone without any proof, based on suspicions, and completely ruin a career in a matter of seconds. Even though @equinusocio is lacking manners and his past behavior defamating complete organizations such as Sublime Text or Zed is making the guy completely unlikeable and unwilling to pursue any collaboration with him, accusing him of crime, making his career at jeopardy (because, this will probably go beyond the open source community if he is accused of scam or malware) is not something I'd had expected from Microsoft nor GitHub. Maybe from X or from Meta, perhaps, but Microsoft? And without any valid claims? This is making me shiver as a contributor to open source. |
There is evidence you are an alt of the creator. Matteo should not close source or attack zed or anything |
|
This whole posts is full of @equinusocio alt |
|
What about the child process ability |
|
|
Long-time Theo YouTube subscriber here. Being an ass is not a crime. If you want to ban Mattia for being an ass (which, I'm sorry to say, he is), that's what Codes of Conduct were invented for. Or good old cancellation. But banning someone on a fabricated pretext of distributing malware is not acceptable. I really hope that's not the case. |
|
Go mow a field |
|
I'm not taking sides, but I disagree with removing an extension based on obfuscation, as that alone doesn't prove malicious intent. By that standard, nearly any software could be labelled malicious – obfuscated paid icon packs, DRM-protected games, browser extensions, you name it. Platforms should focus on robust threat detection, transparent reporting, and clear explanations when removing content. I'd be very frustrated if VS Code removed a regularly used extension without providing concrete evidence of malicious activity. Such actions make a platform seem unreliable. Ideally, VS Code should have presented a detailed report outlining how the obfuscated code was demonstrably malicious. The situation seems to have escalated into unnecessary drama. While Mattia's response to the original Material Theme and decision to make it closed-source weren't ideal; and honestly he should've taken a break; labeling him a malware distributor and discouraging his hiring, as Theo did, seems excessive and defamatory. Similarly, VS Code's one-line rationale for potential malicious behavior and the subsequent ban appear hasty. It feels like the decision-making process may have been influenced by emotions or bias, rather than a thorough and objective investigation, from all parties. |
|
Since I’m apparently a "person with malicious intent"—and also incredibly stupid for being the first user of Material Theme and supposedly sending viruses to my own machine—I took it upon myself to open the source code of the last published version of Material Theme (despite no one asking me to do so). I conducted my own investigation and reported everything in my initial post. Caution But let me tell you more—the cloned extension (and probably more), published by an individual named Theo, the one that the VS Code team classified as having "no malicious intent", still contains the exact same code on the marketplace (just without obfuscation), including suspicious username and password references prior to v35. So, by that logic, every user running that extension—an extension actively supported by the VS Code team—before v35 should also have their extension removed. Yet, it's still there, and strangely, no one has accused its author of having "malicious intent."
|
|
I'm not a big Theo fan personally, I dislike how he dramatizes much of the tech world...very much like he did here too, which blew pieces of this situation way out of proportion. However even though I dislike Theo much of the time I can appreciate the documentation of the sequence of events. I do however believe Theo, and other techfluencers, are part of the problem with these kind of situations as they look for the dollar, not the truth most of the time. This in turn causes many more eyes which don't look objectively on the situation. Reading between the lines here, I think there's valid reasons for concern both from the code side and the creator. Now I'm not saying these are malicious, just red flags:
Now the author claims it was parts of the code that were forgotten about that led to the alarms being raised (old packages, etc) which I think is worth raising the alarm bells because of the amount of people who used it. Yes we're open source and we donate our time but I believe that it's VSCode/Microsoft's responsibility to remove potentially exploitable extensions and themes. If there are parts of the codes which are in fact vulnerable I do think it should be removed. That being said, I think outright banning is a bit...overboard. I can even understand the uninstalling piece. I feel like we're missing a large piece of the puzzle in the public that the VSCode team has not shared. In my opinion the process should have been:
It is absolutely concerning that potentially exploitable code and old systems and dependencies (as I recall the author stating) were left in without every cleaning them up. Again I understand it's open source but if you're looking to turn it into a premium product you shouldn't have those kind of issues. My message to @equinusocio I understand English isn't your first language as someone quoted and I can empathize with the frustrations that people could be taking things like edits out of context (although there could be suspicious edits, I don't know). I know that can be frustrating. I know how frustrating this entire situation is and it can feel like a complete shit storm. I get it, but the act of wiping git history, changing names (no matter if it's planned), publishing under different names really doesn't paint the best light even if there's nothing malicious. I'd really advise you to take a breath, go get some fresh air for a couple days. It's not the end of the world and maybe see about trying to start a conversation with the VSCode team on a different footing and come through the viewpoint of understanding and willingness to hear them out. Maybe they'll give you some clarity or maybe you'll discover some bias, I don't know. What I do know is making statements about random videos or creators will never bring the attention you want, especially if there's valid criticism (which I think there's definitely some but that's a different conversation all together). EDIT: Again, I want to emphasize how much I think Theo and techfluencers like Theo did a disservice to this situation in the way they "reported" it. It wasn't reported as facts or timeline but more of a "holy crapballs batman, this guy is insane" which no matter what is true is not the right way to report something like this and only creates a vortex of potentially misinformed devs flocking to a situation in which they only parrot their creators opinions on. |
Don't take this the wrong way, but open sourcing an already open sourced project isn't something that one should have to ask. I hope you can see that from an outside perspective this behavior is very strange. All of a sudden deleting reports, renaming things, I git history that's less than a year old for such a large and old theme. Even though we can see the code now, parts of the history are gone and can't be audited for us to even try to clear your name. Yes we should believe innocent until proven guilty, but the actions taken throughout this process are not the actions of an innocent person...even if it's just unlucky timing.
I ready through a majority and had to take a break and I'll come back to it. To be honest most of it just seems like a hit piece on other people or claiming there's some big conspiracy, etc. Which may or may not be true but it's...really dense and reads much like a manifesto.
I gotta say, this I agree with you on for the most part. While I think there were concerns for yours they did treat Theo's much differently. I'd be interested in learning more from the VSCode team on why that was. |
|
|
|
@k190-web thanks for that callout, somehow I missed that portion and just looked at the RemovedPackages and did notice it was about icons. EDIT: I think even my own confusion is a side-effect of all the changes that are being made and making it hard to get any clear aspect of this entire situation. EDIT 2:
They do state that it's |
I don't think any of us can speak 100% to their real investigation piece but I do agree with the valid criticism about them not reaching out to you to resolve anything based on the result of their findings in the RemovedPackages. |
|
Complete off off topic but semi related and I think is important for any newcomers also confused. I think it's incredibly weird that Theo is calling out that it's icons when looking at all his branding he's marketing it as "Material Theme." I don't know if this is maybe an attempt to throw people off his extension? Which would be weird as his fork is fine and within all bounds of open source ideology. This is just criticism around the reporting of it causing confusion, even me. I just think it's disingenuous for Theo to go and says "it's not even about Material Theme" when he himself has always said Material Theme which only adds to the confusion, even my own. This is just another sign of how convoluted this entire situation is and we need more clarity from the VSCode team on the process, the reporting, and everything. As a user of their platform for years I'd love to have more insight into what lead into this entire situation. EDIT: Just for anyone looking at this out of context, I'm not defending any of OPs actions or anything and I've already said my piece on that matter...I just am adding that I don't appreciate or like how techfluencers are reporting on this entire situation in a manner that I'd say is disingenuous. 
|
I am willing to be wrong in that aspect, as I mentioned earlier your OP is really dense and the way it reads doesn't make it much better so I have to finish and re-read it to make sure I personally get all the points you're trying to make. Could be the fact that English isn't your first language or the way it reads but it really a lot.
I hope you do take the necessary steps to allow us in the community to contribute to the audit, no matter the outcome and appreciate it. As for Theo, while I think there's valid criticisms in aspects of what he says I'm just also pointing out the flaws in his promotion. I don't think anyone is 100% in the right in this entire situation and really hope it comes to a clear, transparent resolution for all our sakes. |
|
@equinusocio just a question: If you meet one jerk, they might just be a jerk. If everyone you meet is a jerk, maybe you're the jerk. Have you thought of this once? I hate to be that guy, but seriously it's getting kinda ridiculous... |
Was Material Theme removed? Yes.
He's doing in the public socials and again referencing icons is not that informative. Mattia referencing to theme in the issues of Microsoft owned repo and it's much more important to use precise terms. It's also funny you selected the parts that references to Mattia's past actions. Which are about Material Theme, lol. especially the last part where he tell us what VSCode did. And they removed both Materal Theme and icons |
There are plenty of reasons why
These calls seem to be part of some build scripts that got bundled into the extension by mistake? They're TypeScript files that, from a cursory inspection, don't get imported anywhere in the actual extension itself. The So unless there's some vulnerability in one of these three packages ( Edit: |
and others
Motivations
As you stated here, there was nothing CONFIRMED to be harmful in our previous version of Material Theme (which has since been completely rewritten) at the time you published the official communication to the whole web (Reddit, HackerNews, Github). Despite this, you took down 6 extensions (but mentioned only Material Theme Icons), banned my entire account, and caused disruptions for millions of users—including introducing real problems (which you admitted responsibility for on HackerNews — image proof).
This decision destroyed 10 years of reputation and trust, all based on unfounded SUSPICIONS regarding obfuscated code—something you dislike, even though there was no evidence of harm. The only issue was an outdated
sanity.iodependency within the obfuscated code, which could have been fixed in 30 seconds.You not only banned my entire account but also blocked my email, preventing me from contacting you in any way. There was no official channel provided to appeal or even discuss this matter. You never reached out for clarification (neither pre-ban nor post-ban) — unlike in other cases where you contacted fork authors after our ban — nor did you request that we deobfuscate the code or access the source code. I never received any notification about the ban—I only found out when a friend shared a Hacker News post with me, hours later.
You acted differently depending on the interlocutor. As you stated here, you reached out to other "authors" AFTER the ban and both agreed that they had no malicious intent. Yet, when it came to me, you decided I had malicious intent (despite the code being identical, but you saw it obfuscated) — without ever reaching out to me, either before or after the ban, without any confirmation or proof.
Dark behavior and debatable actions
All forks created when our extension was open-source contained the exact same so-called "compromised" code—just without obfuscation. Yet, instead of taking them down, you reached out to them after our ban as stated by an individual called Theo(image proof), giving them time to update their versions while our extension was removed entirely.
For example, one of the many cloned extensions—created by this 🤡 Youtuber called Theo —contained the so-called "suspected code" right up until the ban. Yet, unlike Material Theme, they were given time to clean it up. After some minutes, they removed all the "suspected code".
Even more concerning, any user who installed version <35.0.0 of that fork – before the cleanup – and hasn't updated is still using that so-defined "compromised" version and dependency — yet the extension remains publicly available. Why the double standard?
Furthermore, there is NOTHING in the marketplace terms prohibiting closed-source or obfuscated code. If obfuscation was a concern, we could have easily removed it upon request.
Involvement with Other Fork Authors
Within just a few hours, you—as a VS Code team member, and by extension, Microsoft—were already promoting the very fork that you gave time to fix and remove the so-called "suspicious code. Code which is still PUBLISHED and used by users prior v35 (read above).
CLICK TO EXPAND
This raises serious concerns about bias and suggests either a deliberate attempt to undermine our credibility or, at the very least, a clear lack of professionalism from your team.
Persistent Unfair Treatment
We attempted to release a new version of our extension under a new name (the rename was planned) and a new publisher (vira-theme). Even though this version was completely rewritten from scratch, with no dependencies or runtime code related to your previous concerns, you repeatedly took it down without any public explanation or direct communication with us, and just based on random comments on Reddit. The only apparent reason for this action seems to be the presence of obfuscated code—implying that obfuscation alone is enough to classify an extension as malicious.
CLICK TO EXPAND
Additional discriminatory actions
@isidorn (PoemBusiness6939 on Reddit) as Microsoft's official voice, publicly accused that a random individual was impersonating me, solely based on the fact that they were criticizing Microsoft's actions.
CLICK TO EXPAND
This is not only false and baseless but also discriminatory.
This behavior sends a troubling message to the community: that decisions are being made based on unfounded suspicions, rather than proper investigation. This has nothing to do with security.
Community feedback and false positive
Additionally, there are clear signs of a false positive report from your community, yet no effort was made to verify this before taking irreversible action. (CLICK TO EXPAND)
From this repo
Requests
If your review of MY SOURCE CODE confirms that there is nothing malicious, I formally request the full restoration of our publisher accounts (
Equinusocioandvira-theme), all related extensions, and user access to the theme. Additionally, all installations and insights should be reinstated.I also request a public apology from the team (and @isidorn the person who started this panic-oriented campaign) and the removal of all misleading, panic-inducing information shared on Hacker News and other official channels even before real investigation or CONFIRMED malicious code, and before any official statement. Even if malicious intent were proven, there was absolutely no justification for giving other forks time to remove the violated dependencies while immediately taking down Material Theme based on false claims—without any prior investigation.
Conclusion
As for the VS Code team — and by extension, @microsoftopensource — the entire team, and particularly @isidorn, publicly accused me of criminal activity by spreading false and unverified information.
This is defamatory and illegal under multiple legal frameworks, as it constitutes false accusation, reputational damage, and libel. Publicly accusing someone of criminal activities — such as intentionally distributing viruses or malicious code — without evidence is a serious offense. This is especially true when the accusation comes from a major corporation with significant influence, as it can cause severe reputational and professional harm. Such actions can have real-world consequences, including professional and personal harm.
I will also reach out to Microsoft to resolve this matter and pursue the appropriate action.
March 2, 2025 (4 days after the "malicious intent" statement): They still haven’t reached out to me.
Yet another example of the VS Code team's unprofessionalism and their questionable involvement with this individual named Theo. This confirms what was stated earlier: they removed my other account with a completely new extension (Vira Theme), without even bothering to review it. This goes far beyond "security" concerns.
Willing to collaborate
I am willing to grant vscode team access to review, for real this time, the source code.I've opened the code so everyone, and not only the vscode team or controversial startups can see and perform their analysis. I am also open to discussing the obfuscated code and the reasoning behind this decision to reach a fair resolution and provide you the new .vsix file to restore on the marketplace in place of the old "harmful" version of the extension.
Source code of
release-notes.ts(the subject file)Deobfuscated compiled
release-notes.js(the subject file)Obfuscated
release-notes.ts(the subject file)It takes just 30 seconds to see that there is no direct correlation between the build code and the source code. There is a potential issue that lies in how code is compiled that pulls in the
@sanity.io/clientdependency inside the output build, with or without obfuscation.What kind of "person with malicious intent" openly shows their face and actively collaborates?
March 3, 2025 (4 days after the "malicious intent" statement): They still haven’t reached out to me).
I bet no one—myself included—initially realized that the "suspicious" extension appears to be only Material Theme Icons, meaning some of the previous statements are partially inaccurate.
That said, as part of my supposed "malicious intent," I have also opened the source code of that extension so that anyone can analyze it directly, rather than relying on speculation based on obfuscated code. I don't care about this anymore, my conscience is clear, who knows if this also applies to others.
The text was updated successfully, but these errors were encountered: