Material Theme has been pulled from VS Code's marketplace
116 comments
·February 25, 2025isidorn
anakaine
You might need to chase down reuploads, too.
https://marketplace.visualstudio.com/items?itemName=t3dotgg....
Lermatroid
This is a older pinned version before the license and malware stuff started going down afaik
isidorn
Thanks. Our security researchers will review this today and we might take it down. We reached out to the new author and he does not have malicious intent, and agreed that we just take down the new extension if we see something is off.
joshka
Can you please clarify whether the fork also suffers from the same security issues (or engage the fork's owner to ensure that it doesn't https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you)
theobr
Hi, owner of the fork here.
I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious. Gutting all of the opencollective and changelog code to be 1000% sure.
theobr
The only potential risk was the use of sanity to render a changelog. I didn't want to risk it, so I gutted that and a ton of other stuff. Just published a new, stripped down version.
https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/p...
isidorn
Thanks for flagging it. Our security researchers will analize it and based on their findings we might remove this one as well.
bagels
This is really confusing to me. The original discussion was about changing licenses, but somehow (coincidentally?) there was malicious code discovered shortly after? Are these related?
dark-star
It's a common theme:
- build an open-source thing
- wait till thousands or millions of people are using it
- change the license and close down the source
- implement malicious code
- push an update
- profit! you now have your malware running on millions of systems
buttercraft
Just to be clear, which publisher was banned? Maybe I'm being stupid (it's late here) but I'm struggling to track the various parties involved.
Anyway, thank you for the update.
isidorn
The publisher Equinusocio was banned.
WhyNotHugo
The issue to which op links now yields 404. What's up with that?
isidorn
I am in European time and I do not know what happened on that post (since I was sleeping). I assume it were some heated arguments between maintainer and community about license/copyrights/open source maintenance.
alexlur
Will Microsoft consider adding a permission model for extensions?
isidorn
This is tracked in this feature request https://github.com/microsoft/vscode/issues/52116
We do not plan to add a permission model in the next 6 months.
yukIttEft
> We do not plan to add a permission model in the next 6 months.
I guess Copilot functionality trumps "Security above all else" now.
https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...
fragmede
Given the enormity of the attack surface that has just been exposed, that's disappointing.
Ayfri
oops
theobr
Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"
The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.
Out of an abundance of precaution, I've taken the following action on my fork:
1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.
2. I have audited the code base thoroughly (nothing seemed malicious)
3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.
The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)
Repo is here if anyone else would like to audit https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you
do_not_redeem
Someone uploaded a replacement, Material Theme (But I Won't Sue You)
https://marketplace.visualstudio.com/items?itemName=t3dotgg....
oefrha
The original author seemed to talk a lot about funding development/maintenance, so I got curious about what the hell needs to be maintained. I cloned the https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you repo and had a look. Here's a LoC summary:
===============================================================================
Language Files Lines Code Comments Blanks
===============================================================================
CSS 2 142 119 0 23
TypeScript 32 2026 1650 243 133
-------------------------------------------------------------------------------
HTML 2 59 49 1 9
|- JavaScript 2 2 2 0 0
(Total) 61 51 1 9
===============================================================================
Total 36 2227 1818 244 165
===============================================================================
So the question remains: what the hell is there to maintain (that takes more than a couple minutes every $godknowshowlong)? I've published and maintained waaaaay more substantial open source projects for years without expectation of any financial contribution.
bad_user
There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
What's wrong is the bait and switch, as these projects end up being popular because of their FOSS nature.
miyuru
He had raised about $7.6k total funding using opencollective.
https://opencollective.com/material-theme
that's pretty good, especially for a vscode theme.
weinzierl
"What's wrong is the bait and switch,[..]"
Morally wrong, legally not so much. If it is under a permissive license (and it was MIT originally as others have pointed out) you can always cut a proprietary version.
That doesn't take away the right to use the permissively licensed code of course.
gamedever
it's a problem. As soon as it became easy to ask for money via Patreon or githib sponsorship, etc... tons of people are going to try to get some for minimal effort. It's just the nature of the beast.
oefrha
Asking for money isn’t a problem. The problem is this person went out of their way to extract money by harassing people who rightfully use the open source Apache 2 version, switching the marketplace extension to a closed source version with obfuscated code (likely malicious according to MS), and possibly more, all this for doing a quite small amount of work. That’s after already raising $7.6k, apparently.
phyzix5761
I think effort is irrelevant. Value is what we really look at when deciding what price to pay. It doesn't matter to most people if it took someone a 1000 hours to produce a loaf of bread. They're not going to pay 100x the price of the bread that took 10 hours to produce. Especially, if the products are mostly indistinguishable.
theobr
hi, maintainer of the fork here
just did a pass and removed everything that was not necessary - it's even less code now lmao
-------------------------------------------------------------------------------
Language files blank comment code
-------------------------------------------------------------------------------
TypeScript 23 50 169 1307
Markdown 6 129 0 224
YAML 2 8 6 52
INI 1 1 0 7
-------------------------------------------------------------------------------
SUM: 32 188 175 1590
-------------------------------------------------------------------------------yellow_lead
Looks like the creator of the replacement is the tech YouTuber theo (https://m.youtube.com/@t3dotgg)
theobr
Oh hey, that's me! Not surprised this guy went kind of insane tbh
compootr
Reading the commentary, this guy seems unhinged. He thinks he owns literal hex codes
he sucks at tech and has driven away everyone good at it. I don't use his software, but I hope he gets out of this episode soon (and learns he didn't invent material!)
ukuina
> He thinks he owns literal hex codes
Pantone would like a word.
donatj
Pantone is a lot more than hex codes, it's a whole system of material science for colors.
Dylan16807
Pantone does a lot of legitimate work, but also they pretend to own the hex codes for their colors.
Krutonium
Yep - Give them a Pantone Color and a Material, and they can tell you how to get that material in that exact color.
KronisLV
I'm quite happy that nowadays most tools have competently made themes out of the box, so that if someone wants to minimize risks from something like this and keep the extensions/addons they install to a minimum, that's pretty viable.
Of course, it's also nice that it's possible to theme the software to such a degree and improve usability and accessibility in some cases, just that the feature requests about limiting permissions need to be addressed.
oneeyedpigeon
I find it curious that themes can be a security risk at all. Clearly, they consist of more than just the colour codes and don't definitions one might assume. Maybe the theming system needs to be tightened.
Starlevel004
What is it about material themes that does this to people? The same kind of thing happened to the IntelliJ one half a decade back.
At least that one wasn't literally just colours.
StrauXX
The post has been deleted: https://web.archive.org/web/20250226020241/https://github.co...
joshka
@dang can you please update the link to the archive link
joshka
If you do a bit of a repo dive, the repo was initially MIT licensed from its initial commit for at least a couple of years before that license was replaced by Apache 2.0, so there's an argument to be made that that license also applies.
sparkie
The Apache or MIT license would permit you to continue using it for all versions up to the last commit which used that license. Any later commits under a different license would not be Apache licensed and you would need to follow the new terms if using those newer versions. The new license doesn't prevent you from sharing forks of the older version which was Apache/MIT licensed.
joshka
Kinda, it's complicated. When someone other than the owner of the repo contributes code, they own the copyright to that code. When the author changes this repo's license like this they're redistributing the external contributor's copyrighted code. The permission to do so is granted by the Apache 2.0 license and is subject to the conditions of it. Without the permission to distribute the contributed code, the author is engaged in a violation of copyright law. Note the Apache terms:
> "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
This covers not just the users, but also the "author" here who exercises the permissions granted below:
> 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
> 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
> (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
So let's interpret that. Regardless of the whatever intent to re-license the code exists in the mind of the author, in order to distribute the code which was contributed by others, the only legal means to distribute this code must comply with the requirements of the license. Technically they could remove all code contributions which were contributed by others (I've done this in the past, it's a pain to do right), or seek permission from the others to add additional grants that are not included in the Apache license here (I've seen various projects do the post-facto CLA thing for this). But that has not happened here.
So (in my opinion) the github repo of the author is a currently infringing the copyright of all the other contributors. Any one of whom could enforce it or raise a DMCA take down notification on the repo.
So given that we're talking about material that is in breach of copyright, it's likely that being able to enforce a license on that as a consumer is not really a thing which is possible as the conditions on what must be included bind the person distributing the material not the person receiving it.
firesteelrain
So weird that this person took contributions from others then made it closed source. It doesn’t seem right, but not a copyright expert.
schneems
Speaking generally:
It’s assumed that your contribution will be licensed with the current license (generally). Maintainers can change the license but that wouldn’t affect prior contributions. Basically anything up to that license change would still have the original license. This is what makes forks possible when popular software changes their license.
In order to go back in history and change a license, you need either the consent of your contributors or a document that would grant you the power to do that. A CLA could (but not all CLAs will) grant a maintainer to change a license at will back in time.
Other famous software that has seen a license change: Redis and Terraform. In those cases the license changed but already released software is still available with the old license and that old license allows for forks.
alwayslikethis
My understanding is that permissive licenses (BSD,MIT) can generally be relicensed. For example you can fork a MIT project under GPL. But to do the same for a GPL project requires agreeement from all copyright owners, or just you if you made everyone sign a CLA. This is the whole point of GPL.
bad_user
Your general understanding is wrong, as there's nothing in either BSD or MIT that allows for re-licensing, and nothing else gives you that right.
You can incorporate MIT/BSD code in a proprietary project, but that imported code itself remains BSD/MIT licensed. For many projects, this is a technicality, but no, you can't claim copyright on MIT/BSD code that isn't yours.
KennyBlanken
Was Material even his work in the first place?
mook
Looks like it was, or at least the initial commit was. This was back in 2017.
https://github.com/material-theme/vsc-material-theme/commits...
I'm not sure why the initial commit already says "official", but that's almost a decade ago.
joshka
The initial commit was in 2015 and was MIT licensed for a couple of years before it was changed to Apache licensed. It's unclear if any of the other contributors gave permission for this change to happen.
https://github.com/material-theme/vsc-material-theme/commit/...
koakuma-chan
Nobody is gonna pay for a VSCode theme.
monokai_nl
That's untrue. I've created https://monokai.pro, to my knowledge the first commercial theme. It's been going strong for years now.
People are willing to pay for nice things. Especially if it takes longer to create it yourself.
A theme is more than a list of colors. Monokai Pro contains custom designed icons and color filters too, and some code logic to sync it all up. It needs continued updates, as editors keep evolving with new UX/UI elements.
ihateolives
I paid happily for monokai pro vscode since it was a one time payment. However I will not purchase a subscription for jetbrains intellij because per year it'll cost me the same amount as the intellij idea ultimate and that just doesn't seem like a fair price.
NetOpWibby
Happy Monokai customer here! I want to make themes using my own palette but nothing supports OKLCH and I don't wanna convert to HEX.
koakuma-chan
I haven't noticed any difference after tailwind started using oklch, doubt there's any.
weinzierl
People pay for mere color schemes. https://draculatheme.com/
NetOpWibby
I paid for Dracula back when I could stare at dark mode for hours. Now I use Monokai Pro Light (paid for this too).
Free themes are a dime a dozen.
Paid themes means someone's incentivized to keep working on it and adding icons, &c.
koakuma-chan
No, paid themes are just passive income for their creators, since they get free advertising from IDE marketplaces and it costs them nothing to run. You can google free vscode theme and get hundreds of literally the same thing.
dawnerd
That seems like a special case since you’re buying into a consistent theme across different apps. If it was just vscode that would be a tough sell.
koakuma-chan
he's even selling a book lmao
vorpalhex
I'd pay off the cuff money ($5) if it wasn't paywalled. "Donationware" if you will. I do this with other apps/resources/things including a nice pixel font I like using in images.
I suck at colors and want nice themes. I'm glad people better at this than me take time to make nice things.
But, I don't want to ever manage licenses for my theme. My dotfiles need to fetch it automatically or it's out.
ahoef
Discussion has been deleted.
Edit: the whole repo has been put to private.
Hi - Isidor here from the VS Code team.
A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.
We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.
Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/
As a reminder, the VS Marketplace continuously invests in security. And more about extension runtime trust can be found in this article https://code.visualstudio.com/docs/editor/extension-runtime-...
Thank you!