Microsoft apologizes for removing VSCode Material Theme extension (opens in new tab)

(bleepingcomputer.com)

6 pointsmegadata1y ago7 comments

7 comments

5 comments · 2 top-level

cratermoon1y ago· 2 in thread

"Researchers Amit Assaraf and Itay Kruk, who were deploying AI-powered scanners seeking suspicious submissions on VSCode, first flagged them as potentially malicious."

AI-powered vulnerability reporting is a scourge.

jasonthorsness1y ago

Well flagging as “potentially malicious” seems fine and super useful. Companies just need to have competent investigation of the reports and avoid the dark side of automating action just because it’s cheaper.

cratermoon1y ago

"just".[1]

AI-powered bots can generate a flood of reports of "potentially malicious" code. No company could possibly keep up. Effective DDOS attack on security. Not even the NIST can keep up. https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed...

1 https://sgringwe.com/2019/10/10/Please-just-stop-saying-just...

1 more reply

megadataOP1y ago· 1 in thread

Personally I think Microsoft was in the right. Obfuscated code like this shouldn't be in an extension, at least with out a very big warning and a red flag.

soraminazuki1y ago

It's worth noting the code is illegally relicensed without permission from copyright holders. The author is acting in bad faith.

https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you

Also,

> obfuscated code which spawns child processes to download data for unnecessary reasons

https://github.com/microsoft/vsmarketplace/issues/1168#issue...

No one in the right mind would expect a theme to do this. Its only purpose is to provide static data to the editor.

j / k navigate · click thread line to collapse