VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Microsoft has announced that Visual Studio Code (VS Code) will introduce a two-hour delay before extensions are automatically updated to a newer version. This change is designed to combat software supply chain threats, where attackers compromise legitimate extensions to push malicious updates. When automatic updates are enabled, new versions will be auto-updated two hours after they are published, providing an extra layer of protection. The delay gives Microsoft and the community time to detect and respond to malicious updates before they reach a wide audience. This move follows a series of high-profile supply chain attacks targeting developer tools, including malicious extensions that exfiltrate credentials or inject backdoors. By introducing a mandatory delay, Microsoft aims to reduce the window of opportunity for attackers and limit the blast radius of compromised updates. Developers can still manually update extensions immediately if needed. The change is expected to roll out in a future VS Code release.
Delays auto-updates to reduce risk of malicious extension propagation.