[isidorn]

Hi - Isidor here from the VS Code team.

A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.

We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.

Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/

As a reminder, the VS Marketplace continuously invests in security. And more about extension runtime trust can be found in this article https://code.visualstudio.com/docs/editor/extension-runtime-...

Thank you!

[danhau]

Letting you know that VSCode is unable to uninstall the extension. It prompts me to uninstall, but when I confirm the window refreshes and the extension is still there, triggering the same "is problematic" prompt. This is an infinite loop. Same behavior when trying to uninstall the usual way from the extensions panel.

I had to manually delete the extension's folder in %USERPROFILE%\.vscode\extensions and delete the entry from the json (%USERPROFILE%\.vscode\extensions\extensions.json).

VSCode 1.97.2, commit e54c774e0add60467559eb0d1e229c6452cf8447

[isidorn]

Thank you for letting us know. We are investigating.

[registeredcorn]

Any update on this? I am not directly impacted, but am unsure about others in my company. Assuming that they may be:

* Any specifics on the (potential) impact for affected users?

* What they should do to get it removed?

Edit: There does seem to be a little bit more information available over at Bleeping Computer[1], but the precise nature of what the malware does is unclear at this time other than that it may be some type of "supply chain attack". It would be good to hear more about the specifics.

1: https://www.bleepingcomputer.com/news/security/vscode-extens...

[josekbono]

It is my understanding that the VSCode team uninstalled this from the marketplace service, as in, it was remotely uninstalled. I just opened my VSCode on an old laptop that had extensions from this actor and everything under his publishing account got removed.

[shdw]

Thank you man, I was getting nuts here trying to uninstall this crap but unable.

[vlovich123]

Help me square this circle:

> A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us.

> As a reminder, the VS Marketplace continuously invests in security

If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?

I would also suggest that the trust model for VSCode is fundamentally broken - you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?

While I appreciate the work that the VSCode team does and I use it, the lack of any form of sandboxing has always bothered me.

[CodeWriter23]

PSA: every package you install from any package manager from browser extensions to npm/composer etc presents the risk of malware. Because the open source community lacks the financial resources to vet every single version of every package. Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable. If you need that, buy an IDE from a company financially capable of ensuring security and accept the limitations of their offering.

Mitigations like running in a VM might protect your dev workstation. But not code you put into production that relies on third parties.

[lolinder]

> Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable

VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart. It's a flagship IDE produced by one of the most valuable tech companies in the world, released for free as a loss leader in service to very specific corporate goals.

When a tech behemoth releases a free IDE as a loss leader and it drives out all of the scrappy open source projects one by one, I think it's reasonable to hold that tech behemoth to tech behemoth standards rather than scrappy open source project standards.

[rafaelmn]

> VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart.

Which is why I'm pretty confident in first party packages and don't install third party plugins from random authors.

[mr_toad]

> I think it's reasonable to hold that tech behemoth to tech behemoth standards

You’d end up with Apple-style reviews and then people complaining about them. You can’t really win.

[rat9988]

The marketplace isn't operated on a paid contract for vetted extensions. You vet the extensions you use. Most don't, and it's ok. Don't shift the blame and the cost on microsoft though, they don't have to offer it.

[homebrewer]

Yet Mozilla, for all the flak it gets, isn't paid a dime by its users, but does find resources to vet the most popular extensions. Everything I use is checked by them.

Raymond Hill (of ublock fame) wasn't really impressed with how it is performed, but it's still much better than nothing (which is what MS apparently does).

VSCode is an IDE in name only, it's a glorified text editor, and pretty mediocre one at that. I in "IDE" stands for "integrated", like what you'd expect from JetBrains' products. Or even the real visual studio.

[nkmnz]

What functionality or property makes JetBrains' products an IDE while VSCode isn't? Honest question, I've never used any of their products.

[CodeWriter23]

Apples to oranges or should I say Advertising Revenue vs. Freemium Revenue models

[forgotpwd16]

>Everything I use is checked by them.

How you know that?

[ajross]

> Because the open source community lacks the financial resources to vet every single version of every package.

I made the point elsewhere, but this seems to fail in the face of Debian and Red Hat and Canonical who have been publishing mostly-secure distros of exclusively open source software for decades now.

There's a reason why MS and NPM get caught by this sort of shenanigans, but it's not "open source".

[vlovich123]

Because the attack surface is smaller and more difficult to extract value out of. I think it’s been shown time and time again the more motivated your attacker the more difficult it is to defend and very visible popular platforms see more attacks. NPM and MS represent drastically larger platforms.

[ajross]

Uh... no. There is far (far) more code[1] shipped in the package repository of any Linux distro than in all the world's vscode extensions. Are you being serious? NPM arguably gets a little closer, but only a little.

No, the reason Linux is safe and modern distributors aren't is the "packaging" step. Debian volunteers package software that they understand to be high quality via existing community consensus. You can't just show up to Fedora and say "ship my junkware app", you need to convince the existing community that your stuff doesn't suck.

And that's worked extremely well for decades now, going all the way back to 2BSD being shipped above V7 Unix. The reason MS and NPM et. al. abandoned it isn't just pure experience[2]. They don't want to wait for their repos to fill with good software, they want all the software in it now so that they don't get beaten by whoever their competitors are.

And this is the inevitable result. If you allow anyone to distribute software to your users then you allow everyone to distribute software to your users. And everyone includes a lot of bad people.

[1] With vastly more capability! The distro ships everything from firmware blobs and kernel drivers up through browser glitz and desktop customization. Talk about "attack surface"!

[vlovich123]

Remember, when we're triggered our reading comprehension goes down and we confuse emotion for facts. Did I say they ship more/less code? No, first I was talking about the user base size and the economic incentives for malicious users.

For the most popular package:

Debian: ~253K installs per month [1]

NPM: ~236M installs per month [2]

VSCode: ~158M installs total [3]

Obviously VSCode is hard to compare, but the most popular Debian package would need 52 years to achieve the total VSCode numbers so I'm sure it's safe to say VSCode beats Debian significantly on installs and NPM wins even more convincingly.

Ok, but let's take a look at how much code is shipping which was your metric:

Debian: 242k submissions per month for amd64 [4]

NPM: ~50k new non-spam packages per month, ~800k new version submissions per month [5]

VSCode: No data available

I don't know how VSCode compares, but clearly NPM beats Debian which makes sense because of how open it is and more importantly how many orders of magnitude there are JS developers vs Linux developers and how much more frequently they update their packages because the overhead is lower for creating a submission.

It's really easy to forget that the number of JS developers or people using IDEs is much larger than the number of Linux users. So NPM still beats Debian on this front. As for the security assumption and how good a job maintainers are doing, I'm not so sure on that either. The xz utils backdoor into SSH was found by a Microsoft employee (i.e. the community) not by Debian maintainers. It's not hard to imagine that the lack of notable security issues (particularly attempts recorded) actually indicates very little review, not that there's a higher bar because the maintainers are more talented or have better incentives for "reasons" - there's a reason Chrome was perceived as having better security than IE (it did - architecture was better) and STILL they see regular successful attacks bypassing all the mitigations.

Again, to reiterate in case the above got you triggered again - NPM & VScode have significantly more users than Debian and that creates economic incentives for attackers. The capabilities of a vulnerability matter less unless you're a state actor because capabilities do not track economic results as strongly. This has so much evidence it shouldn't even need this kind of explanation. Remember when people said that Mac had better security? Well turns out Apple is dealing with all the same vulnerability and spam issues on a closed down system when their popularity went up; again, economic incentives.

[1] https://popcon.debian.org/main/by_inst

[2] https://www.npmjs.com/package/lodash

[3] https://marketplace.visualstudio.com/items?itemName=ms-pytho...

[4] https://popcon.debian.org/

[5] https://blog.sandworm.dev/state-of-npm-2023-the-overview

[vlovich123]

It presents a risk sure. But your browser sandboxes those extensions. VSCode runs extensions with the same permissions that VSCode itself has.

[LocalH]

You do realize this is Microsoft we're talking about here? Not merely a couple dudes in their bedroom doing this in their spare time? I guarantee you that a non-zero percentage of the code in VSCode was paid for.

[rat9988]

Who ever paid to use the extensions marketplace?

[LocalH]

I meant on the development side, not that end users paid for anything.

[rat9988]

Then why should end users expect anything? Microsoft is already paying for developpers.

[CodeWriter23]

> You do realize this is Microsoft we're talking about here?

Fiscal responsibility: required

> Not merely a couple dudes in their bedroom doing this in their spare time?

Fiscal responsibility: optional

I would also point out, the malware-infested extension we are talking about presents more as the “two guys in a bedroom” model (though possibly a state-sponsored actor).

[bogwog]

I was going to point this weird part of their comment too.

Reminder that the Open-VSX extension registry exists: https://open-vsx.org

Idk if they removed the malicious theme (or if they have it at all), but if MS isn't doing anything beyond just responding to user reports, you might as well switch to an open registry that probably does the same level of security work, and avoid giving them yet another monopoly.

[nmstoker]

Remember, this is Microsoft! A friend told me of a fairly major corporate firm that found MSFT had arbitrarily pushed an AI tool to run on their SharePoint, scooping up site data outside of any formal agreement to do so. MSFT are no doubt covered by a general agreement but this seems underhand/inept and yet a remarkably common flaw in their approach (I've seen similar behaviour with Teams apps)

[ajross]

> If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?

I think that's sort of unfair. Of course MS should be relying on the community! That's arguably the best single practice for detecting these kinds of attacks in open source code. Objectively it works rather better even than walled garden environments like the iOS/Android apps stores (which have to be paired with extensive app-level sandboxing and permissions management, something that editor extensions can't use by definition).

The reference case for best practice here is actually the big Linux distros. Red Hat and Canonical and Debian have a long, long track record of shipping secure software. And they did it not on the back of extensive in-house auditing but by relying on the broader community to pre-validate a list of valuable/useful/secure/recommended software which they can then "package".

MS's flaw here, which is shared by NPM and PyPI et. al., is that they want to be a package repository without embracing that kind of upstream community validation. Software authors can walk right in and start distributing junk even though no one's ever heard of them. That has to stop. We need to get back to "we only distribute stuff other people are already using".

[vlovich123]

I think you missed the part where I’m asking why the extensions aren’t sandboxed whereas they do invest into sandboxing when it comes to renting out their own machines in the cloud. Even browsers try to do sandboxing of extensions. It’s a jarring disconnect and VSCode is well beyond the prototype stage at mass adoption - the lack of sandboxing is confusing and worrying.

[davely]

> you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?

More and more, I am starting to think I need to run my development environment (for both work and personal projects) in a VM.

I am on MacOS, so UTM or Parallels would work pretty well I think. Sadly, I think my work explicitly forbids us from running VMs or accessing our services from them.

[jerpint]

VSCode in cloud would be great, GitHub tried something similar with GitHub.dev , I haven’t tried it in a while but it didn’t feel quite ready at the time, maybe things have changed

[hakaneskici]

Try https://vscode.dev

You can append a Github repo to the URL to open it: https://vscode.dev/https://github.com/facebook/react

[fennecfoxy]

Lmao why should they have to spend money auditing random 3rd party extensions that you choose to install? VSC is free, we're not paying for it.

[paulddraper]

> Help me square this circle

Sure. As a general rule, you get what you pay for.

[anakaine]

You might need to chase down reuploads, too.

https://marketplace.visualstudio.com/items?itemName=t3dotgg....

[isidorn]

Thanks. Our security researchers will review this today and we might take it down. We reached out to the new author and he does not have malicious intent, and agreed that we just take down the new extension if we see something is off.

[yesthis]

> We reached out to the new author and he does not have malicious intent

Because he said so?

[Quot]

The maintainer goes into more detail here: https://news.ycombinator.com/item?id=43182156

[Lermatroid]

This is a older pinned version before the license and malware stuff started going down afaik

https://youtu.be/3wz7YF2as-c

[rfl890]

Maybe point to the actual reupload instead? https://marketplace.visualstudio.com/items?itemName=fanny.vs...

[riquito]

Wild how its github page (1 commit, 1 hour ago) has already 885 forks and 11.2K stars to mislead people

https://github.com/Fanny-Theme/fanny-theme-support

[filiptronicek]

> Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/

Hi Isidor, excited for this! At Open VSX, we'd love to take a look and potentially flag the extension as malicious on our side as well. Are you aware of the version range that the malicious code was included in? I'm asking because https://open-vsx.org does not have any version published since the extension went closed-source.

[flutas]

The extension file is still available to download directly from MS.[0]

I downloaded the file, and unzipped it, but on a cursory glance I only see obfuscated code nothing malicious.

[0]: !!!WARNING MAY BE MALICIOUS!!! https://marketplace.visualstudio.com/_apis/public/gallery/pu...

[HelloNurse]

Obfuscated code is malicious, even in case it's harmless.

[flutas]

Then never download an Android app, they're obfuscated by default.

[HelloNurse]

Obfuscating Javascript is entirely unnecessary: it signals that the author thinks that they have something to hide.

At the very least, the author has delusional notions about the greatness of their source code and they worry about piracy, meaning that there is a high probability of stupid bugs and that they would be difficult to notice because of the obfuscation.

Of course in this case the default assumption should be that there is something malicious to hide.

[shanselman]

False positives suck, and it hurts when it happens.

The publisher account for Material Theme and Material Theme Icons (Equinusocio) was mistakenly flagged and has now been restored. In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion. We care deeply about the security of the VS Code ecosystem, and acted quickly to protect our users.

I understand that the "Equinusocio" extensions author's frustration and intense reaction, and we hear you. It's bad but sometimes things like this happen. We do our best - we're humans, and we hope to move on from this We will clarify our policy on obfuscated code and we will update our scanners and investigation process to reduce the likelihood of another event like this. These extensions are safe and have been restored for the VS Code community to enjoy.

LINKS: Material Theme https://marketplace.visualstudio.com/items?itemName=Equinuso... Material Theme Icons https://marketplace.visualstudio.com/items?itemName=Equinuso...

Again, we apologize that the author got caught up in the blast radius and we look forward to their future themes and extensions. We've corresponded with him to make these amends and thanked him for his patience.

Scott Hanselman and the Visual Studio Code Marketplace Team - @shanselman

[solomatov]

Is it possible for you to add color theme/icon theme/keymap only extensions, without any executable code? I think, it will improve the security situation a bit. I don't see why the mentioned kinds of extensions should have any code.

[bagels]

This is really confusing to me. The original discussion was about changing licenses, but somehow (coincidentally?) there was malicious code discovered shortly after? Are these related?

[dark-star]

It's a common theme:

- build an open-source thing

- wait till thousands or millions of people are using it

- change the license and close down the source

- implement malicious code

- push an update

- profit! you now have your malware running on millions of systems

[jeroenhd]

Should be added that the malicious part is often done by a third party that takes over an open source project when the original developer doesn't have the time/energy/money to maintain their open source/free work. Many Chrome extensions end up being sold for thousands or just hundreds of dollars because there's no money in them and the dev isn't all that interested.

Society as a whole could easily avoid this by funding open source/free utilities to the point where malware makers need to spend significant cash to outbid yearly community support, but unfortunately maintaining anything available online for free is a thankless job that barely covers the electricity required to maintain the code.

In this case too, the developers behind the theme seemed to want to monetise their work, which had attained almost 4 million installs, in the past, but found themselves with a rather unwilling customer base. I don't know if they snapped and uploaded something malicious or if they're intentionally making it hard for forks to copy their work, but either way the lesson learned is that if you want to make money you should just abandon your free projects and start something else.

[hombre_fatal]

Every time piracy or Youtube ads come up, HNers grandstand on how they don't even pay a dime to the content creators making the hundreds of hours of videos they watch.

GGs if you want a buck for the VSCode theme you made.

[skyyler]

I proudly block ads while giving directly to the people that make the stuff I like.

I know I'm in the minority, but I block ads because of memetic hygiene. I don't want to deprive artists but I'm not sitting through adslop for a podcaster's sake.

[Thorrez]

With Youtube at least, you can buy Youtube premium, so you don't have to sit through Youtube ads without needing an ad blocker (though you'll still have to sit through any ads the Youtuber directly adds into the video itself).

Disclosure: I work at Google.

[izzydata]

I fundamentally disagree with making money from ads. I have no problem giving money to people who make things.

[Der_Einzige]

Copyright abolitionists are more than happy to embrace no one ever making money off of "software" again.

[tobyhinloopen]

> Society as a whole

As long as we won't have to pay 2 USD for an extension!

[notpushkin]

The closing down step is optional. Just don’t build on a public CI, and inject malicious code in your builds, xz-style.

[not_wyoming]

Are you contending that's what happened here? This is not a leading question, I genuinely do not know and am trying to learn more.

[pickledoyster]

yup, many mobile app developers do this (inject any SDK that'd pay them) too. Doesn't need to be open source, though

[DANmode]

Mobile app devs are often scum,

but no need to single them out.

Plenty of bait and switch later free apps turned freemium, or malicious, out there.

[oneeyedpigeon]

This is a good description of the problem. I'm not sure why it's been downvoted, except that "common" is overstating it a bit.

[mightysashiman]

reminds me of mx player on android (nova launcher also?)

[talkingtab]

Hey! Isn't that the Microsoft business model? Doesn't MS control VS Code? (google microsoft antitrust).

[joshka]

Can you please clarify whether the fork also suffers from the same security issues (or engage the fork's owner to ensure that it doesn't https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you)

[theobr]

Hi, owner of the fork here.

I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious. Gutting all of the opencollective and changelog code to be 1000% sure.

[maxloh]

Hi. Please do not replace the original author's copyright notice in the LICENSE file. That is a violation of the Apache License.

You could instead "append" your name to the copyright notice though, which is legal.

https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/c...

[theobr]

The only potential risk was the use of sanity to render a changelog. I didn't want to risk it, so I gutted that and a ton of other stuff. Just published a new, stripped down version.

https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/p...

[f272529]

Ok, but did you remove something that explicitly appeared malicious? This is a key detail that I am not seeing in your comments or commit messages.

[jorams]

That's covered by

> I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious.

[isidorn]

Thanks for flagging it. Our security researchers will analize it and based on their findings we might remove this one as well.

[csears]

s/analize/analyze/g

[theo-steiner]

s/g/

[flutas]

So is there any proof of the malicious code?

The extension file is still available to download directly from MS.[0] (Which, why if you pull it from users are you still allowing downloads first of all.)

I downloaded the file, and unzipped it. On a cursory glance I see obfuscated code but zero "red flag" level code, has anyone seen the malicious code claimed?

[0]: !!!WARNING CLAIMED TO BE MALICIOUS!!! https://marketplace.visualstudio.com/_apis/public/gallery/pu...

[ande-mnoc]

Will Microsoft consider adding a permission model for extensions?

[isidorn]

This is tracked in this feature request https://github.com/microsoft/vscode/issues/52116

We do not plan to add a permission model in the next 6 months.

[yukIttEft]

> We do not plan to add a permission model in the next 6 months.

I guess Copilot functionality trumps "Security above all else" now.

https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...

[misnome]

Yeah, the vscode release notes used to be lists of interesting new things and novel improvements.

Now they are all “copilot” “features”.

[Cthulhu_]

TBH, no criticism on the developers, but the VS Code release notes haven't been interesting or relevant to how I used the editor for years. I think I checked out when they added a terminal client to it and it dominated the release notes for ages.

AI features is one of the bigger innovations in editors in years, I fully understand the enthusiasm, especially given it can be linked to an earnings model. That said, before AI stuff I would've expected them to push integration with Github and Azure more.

[dingnuts]

This is why I use Emacs and it's why I didn't stop using Emacs when Sublime Text II, then Atom, then VSCode became popular.

When Microsoft gets bored of VSCode or forces you to only do AI "vibe coding", Emacs will still be there.

New version just came out. The release notes were full of good things.

[agos]

before copilot the first item in their release notes was always accessibility, which I though was a very nice touch. Now Copilot took the prime spot

[fragmede]

Given the enormity of the attack surface that has just been exposed, that's disappointing.

[Aeolun]

This isn’t really exposed so much as exploited. This was always possible.

[fragmede]

you're right. it's not new. https://www.bleepingcomputer.com/news/security/malicious-vsc...

[kobalsky]

Security has been overlooked for way too long for me to trust it at this point.

The only sane way to contain the blast radius is to run is to run code-server in a container (or in a VM) and use it through a browser tab.

Luckily, the UI works perfectly, hotkeys and everything. They did an awesome work there.

[_trampeltier]

There will never be some permission model. Like in VBA there is after all this years nothing. VBA would be much less problematic if you could restrict VBA to just one Excel sheet or so

[balch]

Given that it's been automatically removed from all VS Code instance, is there any way to check if it was previously installed? It's concerning that there's now no way to check if a sytem has been compromised by this

[BtM909]

Doesn't it prompt to uninstall?

[buttercraft]

Just to be clear, which publisher was banned? Maybe I'm being stupid (it's late here) but I'm struggling to track the various parties involved.

Anyway, thank you for the update.

[isidorn]

The publisher Equinusocio was banned.

[bitbasher]

I de-obfuscated most of it and didn't see anything malicious. Was there any particular file that was concerning?

[progbits]

Why was there any obfuscated code in the first place?

[bitbasher]

I missed it-- it's in the release notes file. I uploaded it to pastebin. It does look malicious.

https://pastebin.com/H5QjS4Bt

[WhyNotHugo]

The issue to which op links now yields 404. What's up with that?

[joshka]

https://web.archive.org/web/20250226020241/https://github.co...

[ytpete]

Weirdly, this Wayback link is now also a 404. I didn't realize content can retroactively get removed from the archive like that – doesn't that sort of defeat one of its main purposes?

[isidorn]

I am in European time and I do not know what happened on that post (since I was sleeping). I assume it were some heated arguments between maintainer and community about license/copyrights/open source maintenance.

[joshka]

https://web.archive.org/web/20250226020241/https://github.co...

[BigParm]

Imagine the amount of infected packages we use every day. Probably 20 different governments see everything we do.

[cratermoon]

why worry about governments so much? You know how many different companies see everything you do? Do you trust all of them?

https://www.wired.com/story/gravy-location-data-app-leak-rtb...

[CamperBob2]

Companies didn't intentionally murder 100 million of their own customers in the 20th century alone.

[cratermoon]

They certainly aided and abetted. See IBM.

[CamperBob2]

But they didn't murder their own customers. Their customer, a government, did the murdering.

As long as government claims the right to a monopoly on violence, it is reasonable to hold them to far, far higher standards than anyone else, including corporations. There is only so much damage one company or one cartel can do, but with government, the downside is unbounded. As I suspect we're about to see for ourselves.

[cratermoon]

Nah, let go of that monopoly on violence claptrap. Governments can't do things without corporations to build stuff for them.

> Their customer, a government, did the murdering.

Using stuff the corporation made and profited from.

Max Weber died in 1920, get some new economics.

[galagladi]

They are now evading the ban by rebranding the extension to "Fanny Theme": https://marketplace.visualstudio.com/items?itemName=fanny.vs...

[preommr]

Is this a troll name? Fanny is a faily well-known slang term[0]

[0] https://en.wikipedia.org/wiki/Fanny#In_slang

[napolux]

only in UK IIRC

[Cthulhu_]

Many English speaking countries, I'm sure the US is more the exception than the rule in this case.

Of course, 'git' is also an insult.

[esperent]

Git is a fairly mild insult though, roughly equivalent to calling someone annoying. I'm sure at least a few of us have thought Git (the tool) to be aptly named, from time to time.

[phkahler]

And here I thought it was redneck for "get" like that's where ya git yer code from.

[mmcnickle]

Linus once quipped "I'm an egotistical bastard, and I name all my projects after myself. First 'Linux', now 'git'."

[johnisgood]

Is "fanny" an insult at all?

[davidmurdoch]

It was also equivalent to "bro" in the late 90s, at least in some circles in the US.

[kgwxd]

35+ years ago, my friend insisted it meant the UK definition and, until now, every time I heard the word, I'd think of the time my, otherwise smarty-pants, friend didn't know what the most basic, least offensive, slang meant.

[memsom]

It's pretty mild, but still offensive in the UK. Your friend was right to believe that much. That everyone thinks it means that? No - the US uses it differently for a region of the body slightly less offensive. It's a bit like spunk, which is also fairly offensive in the UK, and fag, which despite having an offensive meaning in the US, is actually traditionally not offensive here, though the US meaning is known and sometimes used - it means "cigarette" here mostly, and "faggot" means something less offensive too (a bunch of sticks or a type of meatball like dish.)

[cratermoon]

Remember when fanny packs were a thing?

[iamkonstantin]

More like “only in the US it isn’t” :)

[somenameforme]

Might be regional but fanny is definitely slang in the US as well, but very quaint/dated, meaning butt. Would generally be used in some sort of context like a grandma telling a kid, 'Get your fanny over here right this second!'

It would never be offensive or used with sexual connotation. It's kind of like the equivalent of wiener.

[floucky]

It was a popular name in France in the 90s ¯\_(ツ)_/¯

[johnisgood]

Yeah, Fanni is still used in Hungary.

[isidorn]

Thank you. We will security audit this extension today and take action if needed.

[_cenw]

Didn't the author evade a ban? Isn't that enough reason to take this down?

[mattmaroon]

They could at least somewhat automate checks for that sort of thing.

[_cenw]

Yep, because there's already another one, our hex code merchant clearly has nothing better to do: https://marketplace.visualstudio.com/items?itemName=vira-the...

[mikeryan]

It's a new publisher https://marketplace.visualstudio.com/publishers/fanny

If you dig into the code on GitHub [1] , you can see it's the same author as the Material Theme. But I'm not sure how the marketplace folks are supposed to track that.

[1] https://github.com/fanny-theme/fanny-theme-support

[_cenw]

Next one: https://marketplace.visualstudio.com/items?itemName=vira-the...

[Hikikomori]

new main features:

0 external and harmful dependencies

closed source = no more toxic community and youtubers talking shit about things they don't know.

Looks like we're good now.

[stef25]

Correct, the author links to it from his github page https://github.com/equinusocio

[darkwater]

So, this is pretty weird no? In his GH profile he links his website/portfolio https://astorinomattia.com/ which is actually his surname + name.

It doesn't seem to be pretty smart and safe going rogue with such public exposure no? Unless it is a completely fake persona, of course.

[Sharparam]

It also links to his employer (https://lualtek.io). Maybe someone should let his employer know what their employee is up to :)

[account42]

> Things destroyer.

Hmmmmm.