Material Theme has been pulled from VS Code's marketplace

Original Article ↗ Hacker News Discussion ↗

Maintainer behavior & license changes

  • Commenters say the theme’s maintainer abruptly closed the source, rewrote history, and swapped in a new, restrictive license while threatening users and other theme ports with legal action.
  • People note the project was originally MIT, then Apache 2.0, and only later a custom license, raising questions about whether relicensing contributors’ code without consent is legally valid.
  • Some see the maintainer’s hostile responses and sense of “owning hex codes” as unprofessional and self-defeating, damaging trust in the project.

Copyright, relicensing & “owning colors”

  • Extensive debate over whether one can meaningfully claim rights over a color palette or theme; many find this intuitively absurd, though others point out trademark/copyright precedents (Pantone, corporate colors, yoga sequences, etc.).
  • Several participants clarify that permissive licenses allow incorporation into proprietary software, but not retroactive removal of the original license from others’ contributions.

Security concerns & Microsoft’s actions

  • A community member reported suspicious, obfuscated code; Microsoft’s security team said they found “red flags” and removed the publisher’s extensions from the marketplace and from users’ installations.
  • Obfuscation in an extension, especially one previously open, is widely seen as a major red flag. Some users de‑obfuscated parts of the bundle; early reviews found little, others later identified code that looked like a networked changelog/analytics system.
  • Conflicting information appears: one Microsoft message (quoted in the thread) later calls the removal a “false positive,” says the extensions are safe, and restores them. Some commenters now suspect the “malware” claim may have been overblown or mistaken.

Forks, reuploads & alternatives

  • A popular fork (“Material Theme (But I Won’t Sue You)”) stripped analytics, HTML changelog, and other code, leaving mostly static color configuration; its maintainer invited audits and Microsoft review.
  • The original author repeatedly re‑uploaded rebranded closed‑source versions (e.g., “Fanny Theme”, “Vira Theme”), prompting calls for marketplace enforcement against ban evasion.
  • A preserved pre‑license‑change fork exists and is cited as the original clean, Apache/MIT‑licensed code.

VS Code extension trust model

  • Many criticize VS Code’s lack of a fine-grained permission model: even a theme extension can run arbitrary code with full user privileges.
  • Some call for sandboxing, extension permissions, or a Mozilla‑style tiered trust system, especially for highly installed extensions.
  • Others argue heavy vetting would reduce extension variety and push more features into core VS Code, risking bloat.

Monetization, maintenance & dependency culture

  • Opinions split on whether charging for themes is reasonable: some say UI polish has real value; others see a simple color theme with analytics, obfuscation, and aggressive monetization as grifting.
  • The incident feeds broader worries about over‑reliance on third‑party extensions and packages (left-pad, xz, log4j) and the difficulty of balancing convenience, security, and sustainability.