VS Code Adds 2-Hour Auto-Update Delay to Thwart Supply Chain Attacks

Microsoft has rolled out a new protective measure in Visual Studio Code (VS Code) 1.123 that delays automatic extension updates by two hours, aiming to curb the rising tide of software supply chain attacks targeting developers. The cooldown period gives the community and security researchers time to identify and report malicious or compromised releases before they propagate to user environments. According to Microsoft, the delay activates only when automatic updates are enabled, and users retain the ability to manually trigger updates via the "Update" button. Pending updates now display a rationale and the scheduled update time in the extension details view, giving developers full transparency into the process.

Importantly, the two-hour buffer does not apply to extensions published by trusted vendors, including Microsoft, GitHub, and OpenAI, which will continue to update immediately. This mirrors a broader industry shift toward age-based installation controls across major package ecosystems. RubyGems recently introduced an opt-in cooldown in Bundler 4.0.13, while Bun (minimumReleaseAge, 1.3+), npm (min-release-age, v11.10.0+), pnpm (minimumReleaseAge, 10.16+), and Yarn Berry (npmMinimalAgeGate, 4.10.0+) have all added similar minimum-release-age mechanisms. The defensive strategy is straightforward: shorten the window during which a freshly published malicious version can spread before it is flagged and pulled by registry maintainers.

This move comes amid a documented surge in supply chain incidents, with threat actors increasingly poisoning popular packages to compromise developer systems and downstream consumers. Developers who maintain CI/CD pipelines and manage dependencies should treat this update as one layer of defense, but they should also audit their installed extensions regularly. Compromised IDE extensions can exfiltrate tokens, source code, and cloud credentials—making it worth verifying your exposure with a quick password checker and reviewing any suspicious activity via a email breach checker. For teams operating behind corporate proxies, running a VPN/proxy detector can help ensure that extension traffic is not leaking through unauthorized tunnels. As ecosystem-level safeguards mature, combining them with proactive credential hygiene and network visibility remains the strongest posture against supply chain compromise.