VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks

Microsoft has implemented a two-hour delay for automatic extension updates in Visual Studio Code to mitigate supply chain attack risks. The delay applies when developers enable automatic updates, pushing new extension versions live two hours after initial publication rather than immediately.

The strategy creates a detection window for security researchers and the VS Code team to identify malicious code before widespread distribution. Supply chain attacks targeting development tools have escalated in recent years, with threat actors compromising legitimate extensions to inject malware into downstream projects. A two-hour window allows maintainers and security tools to catch compromised versions before millions of developers pull corrupted code.

VS Code extensions run with elevated privileges within the IDE, giving attackers direct access to source code, credentials, and build systems. The consequences of a successful extension compromise are severe. Malicious code can steal API keys, inject backdoors into compiled applications, or sabotage software builds across entire organizations.

The delay mechanism applies automatically when developers configure VS Code to update extensions without manual intervention. Extensions already installed will update after the two-hour period passes. Developers who manually trigger updates or disable automatic updates bypass the protection entirely.

This represents a measured response to extensibility risks inherent in IDE ecosystems. Similar delays exist in other software distribution channels. The approach balances security with developer experience, avoiding complete lockdowns that would frustrate users while still providing breathing room for threat detection.

Microsoft simultaneously encourages extension publishers to adopt security best practices, including code signing and regular security audits. The company continues investing in the VS Code Marketplace scanning infrastructure to detect suspicious extensions before publication.

For organizations, this update reinforces the need for extension governance policies. Enterprise teams should review which extensions are permitted, implement procurement controls, and monitor extension usage. Individual developers benefit from the automatic protection but should remain cautious about installing extensions from unfamiliar publishers.

The two-hour delay represents practical security rather than a complete solution. Attack