VS Code Introduces 2-Hour Extension Update Delay to Reduce Supply Chain Attack Risks

Microsoft Adds a Security Buffer to Help Developers Avoid Malicious Extension Releases

Microsoft has introduced a new security feature in Visual Studio Code that delays automatic extension updates by two hours. The move aims to reduce the risk of software supply chain attacks that target developers through compromised or malicious extension releases.

Starting with VS Code version 1.123, extensions will no longer update immediately after publishers release a new version. Instead, the platform will wait two hours before installing updates automatically. This delay creates a critical security window that allows suspicious releases to be identified and removed before they reach a large number of users.

Why Microsoft Added the Delay

Software supply chain attacks continue to grow across the development ecosystem. Attackers increasingly target trusted software repositories, package managers, and development tools because a single malicious update can affect thousands of organizations.

In many cases, threat actors compromise a developer account or publishing pipeline and push a malicious version of a legitimate package or extension. Because users trust the source, automated update mechanisms quickly distribute the malicious code across developer environments.

Microsoft's new update delay helps address this problem by slowing down the automatic deployment process. If security researchers, automated scanners, or community members discover malicious behavior shortly after release, maintainers can remove the compromised version before widespread adoption occurs.

As a result, organizations gain additional protection without requiring developers to change their existing workflows.

How the New Feature Works

When automatic updates are enabled, VS Code will now wait two hours after an extension release before applying the update.

Developers can still install updates immediately if needed. The "Update" button remains available for manual upgrades at any time.

Additionally, VS Code will display information explaining why an update remains pending and when the automatic installation will occur. This added transparency helps developers understand the update process while maintaining control over their environments.

However, Microsoft has excluded certain trusted publishers from the delay mechanism. Extensions published by Microsoft, GitHub, and OpenAI will continue to update immediately because the company considers these publishers highly trusted sources.

A Growing Industry Trend

Microsoft is not the only organization adopting time-based defenses against software supply chain threats.

Recently, RubyGems introduced a cooldown feature in Bundler that allows developers to delay the installation of newly published gem versions. The goal is similar: reduce exposure to malicious packages during the highest-risk period immediately after release.

Several major package ecosystems have implemented comparable protections over the past year:

• Bun: minimumReleaseAge
• npm: min-release-age
• pnpm: minimumReleaseAge
• Yarn: npmMinimalAgeGate
• RubyGems Bundler: Cooldown Feature

These controls allow organizations to define a minimum age requirement before newly released packages become eligible for installation.

Why Supply Chain Attacks Remain a Major Threat

Modern software development depends heavily on third-party libraries, open-source packages, extensions, and automated updates. While these components accelerate development, they also expand the attack surface.

Attackers understand that compromising a trusted component can provide access to thousands of downstream users. Instead of targeting organizations individually, they target the software supply chain itself.

Recent attacks have shown that even brief exposure windows can result in widespread compromise. Malicious packages often remain available for only a few hours before security teams detect and remove them. During that time, automated update systems may already have distributed the code to numerous environments.

A delay mechanism directly addresses this challenge by reducing the speed at which potentially harmful releases spread.

What This Means for Security Teams

Security leaders should view Microsoft's decision as part of a broader shift toward safer software consumption practices.

Organizations that rely heavily on open-source software should consider implementing package age restrictions, dependency monitoring, and automated supply chain security controls. These measures can significantly reduce exposure to newly published malicious packages.

The VS Code update also highlights an important cybersecurity principle: not every security improvement requires complex technology. Sometimes slowing down a process by a few hours can provide enough time to detect threats before they cause widespread damage.

As software supply chain attacks continue to evolve, time-based security controls are becoming an increasingly valuable layer of defense for developers and enterprises alike.