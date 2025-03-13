Earlier today, we covered the incident of Microsoft Defender flagging the Winring0 driver inside PC monitoring and fan control apps as malicious. Although at first glance it may seem like an obvious false positive, turns out there is more to the story.

However, that is not the case with a couple of Visual Studio Code (VSCode) extensions that were earlier removed by Microsoft from the Visual Studio marketplace after they were marked as potentially harmful.

The problem mainly occurred as there was a lot of obfuscation in the code of two themes namely "Material Theme – Free" and "Material Theme Icons – Free". Obfuscated code is a technique fairly commonly used by threat actors so it is natural that Microsoft was on red alert about it.

Turns out though, that the obfuscation was not out of any ill intent and after realizing this, Microsoft's Scott Hanselman, the Vice President at Microsoft for Developer Community, has thoroughly apologized for the inconvenience and the two extensions have since been restored on the marketplace. Hanselman writes:

False positives suck, and it hurts when it happens. The publisher account for Material Theme and Material Theme Icons (Equinusocio) was mistakenly flagged and has now been restored. In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion. We care deeply about the security of the VS Code ecosystem, and acted quickly to protect our users. I understand that the "Equinusocio" extensions author's frustration and intense reaction, and we hear you. It's bad but sometimes things like this happen. We do our best - we're humans, and we hope to move on from this We will clarify our policy on obfuscated code and we will update our scanners and investigation process to reduce the likelihood of another event like this.

These extensions are safe and have been restored for the VS Code community to enjoy.

You can find the issue here on the Visual Studio Marketplace's official GitHub repo.