RE: VSCode Extension Drama
You can't run your threat response like a High School clique
A few days ago Amit Assaraf published an article titled “A Wolf in Dark Mode: The Malicious VS Code Theme That Fooled Millions”, within this article, the author makes the claim that the “Material Theme” extension is malicious
A deep analysis concluded that hiding inside it’s codebase are multiple red flags indicating malicious intent
There is just one problem: there was no deep analysis done. The article serves as a marketing piece for a startups threat analysis tool (I get it, I’ve done it too); it provides no substantive information and the article links to said tool as an authoritative source which provides this vague & paywalled information:
What is the threat?
Out of curiosity, I ran my own extension through the tool, and despite it doing quite a bit more, the risk score is somehow lower.
These risk scores are determine in some opaque way; this isn’t proper disclosure. Despite this, the VSCode team made the unprecedented choice to remotely uninstall the extension from millions of users (mind you, the mechanism used for this broke) and banned the developer.
Without any transparency, millions of VSCode instances were remotely modified. When Apple removed Zoom from Macs, it was clear why such intervention was necessary - in this case we only have vague information like this:
This tells us 1) this is the first time this has publicly occurred & 2) nothing at all. Was there a threat or not? Were users impacted?
Certain individuals, whom I can only describe as having vulture like tendencies, inserted themselves into the narrative of this drama to make themselves out to be the hero of the story. They made it clear that members of the VSCode team were talking and sharing information with them, but the public heard nothing of substance. Their earlier fork of the extension was given an “all good” because:
Our security researchers will review this today and we might take it down. We reached out to the new author and he does not have malicious intent, and agreed that we just take down the new extension if we see something is off.
If you’re responsible for a platform that serves non-sandboxed executable code to millions of developers - security should not be based on vibes.
There seems to be favoritism at play here, with prudent information being shared with a sole individual that is not an employee of Microsoft and VSCode team members responding in support of that individuals dog piling efforts on social media, but ignoring and withholding request for more details from users that may have been potentially impacted by this undisclosed threat.
The developer behind this extension may have lost respect in their behavior outside of this incident, but accusing them of distributing malware is a serious offense with ramifications that impact their livelihood; and if they did distribute malware, withholding an actual disclosure prolongs any remediation those impacted can take.
In either case, this entire circus shows a lack of real process, transparency, and leadership from those responsible for securing the marketplace and working on VSCode.
And if it turns out all of this was triggered by a false-positive report from a startups shoddy tool, someone will have egg on their face.
We can’t even say obfuscated code is by default malicious intent - the C# Dev Kit extension ships with obfuscated code.