This feels way too apologetic by MS to me. Dunno if that’s mainly the reporting in this article.

When asked by BleepingComputer about this development, cybersecurity researcher Amit Assaraf continued to claim that the extension did contain malicious code. However, there was no malicious intent from the publisher, commenting that “in this case, Microsoft moved too fast.”

They “accidentally included” stuff that didn’t belong in there. They obfuscated their code. Multiple red flags were hit.

For me, moving fast in blocking spread seems warranted. Maybe it shouldn’t trigger removal on installs immediately, depending on how fast they can check.

The authors ban circumvention and outdated dependency the cause but not an issue claims were dubious at best as well.

Sure, maybe no ill intent. But that doesn’t mean security practices should not happen.

ah, the same extension whose author tried to gaslight the community saying it never had a permissive license and now ships a theme with obfuscated code. Yeah, I’ll pass.

context: https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you

the original repo had its history changed.