VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Microsoft Visual Studio Code (VS Code) has introduced a two-hour delay before automatically updating extensions to mitigate risks associated with software supply chain attacks. This delay applies to most extensions except those from trusted publishers like Microsoft, GitHub, and OpenAI, which continue to update immediately. The feature aims to provide an additional layer of protection by allowing time to detect and respond to potentially compromised or problematic extension releases. Users retain the option to manually update extensions immediately if desired. This change aligns with similar time-delay controls recently adopted by other package managers to reduce exposure to malicious package versions. The update is available starting with VS Code version 1. 123.
AI Analysis
Technical Summary
VS Code now implements a two-hour automatic update delay for extensions to limit the impact of supply chain attacks. When automatic updates are enabled, new extension versions are installed two hours after publication, except for extensions from trusted publishers which update immediately. This delay provides a buffer period to identify and mitigate potentially malicious or faulty extension releases. Users can manually trigger immediate updates if needed. This approach follows similar measures introduced by other package managers like RubyGems, npm, pnpm, and Yarn to reduce the window of exposure to malicious package versions. The feature is included starting in VS Code 1.123.
Potential Impact
The two-hour delay reduces the risk of rapidly propagating malicious or compromised extension updates by providing a short buffer period for detection and response. It limits the window during which a supply chain attack could affect users via automatic extension updates. Trusted publishers are exempt from this delay, ensuring timely updates for widely trusted extensions. There are no known exploits in the wild related to this change, and users can still manually update extensions immediately if necessary.
Mitigation Recommendations
This feature is an official mitigation introduced by Microsoft in VS Code version 1.123. Users should update to this version or later to benefit from the automatic update delay. No additional user action is required to enable the delay if automatic updates are enabled. Users can manually update extensions at any time if immediate updates are needed. Since this is a proactive protective measure, no urgent remediation is necessary beyond updating VS Code to the supported version.
VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Description
Microsoft Visual Studio Code (VS Code) has introduced a two-hour delay before automatically updating extensions to mitigate risks associated with software supply chain attacks. This delay applies to most extensions except those from trusted publishers like Microsoft, GitHub, and OpenAI, which continue to update immediately. The feature aims to provide an additional layer of protection by allowing time to detect and respond to potentially compromised or problematic extension releases. Users retain the option to manually update extensions immediately if desired. This change aligns with similar time-delay controls recently adopted by other package managers to reduce exposure to malicious package versions. The update is available starting with VS Code version 1. 123.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
VS Code now implements a two-hour automatic update delay for extensions to limit the impact of supply chain attacks. When automatic updates are enabled, new extension versions are installed two hours after publication, except for extensions from trusted publishers which update immediately. This delay provides a buffer period to identify and mitigate potentially malicious or faulty extension releases. Users can manually trigger immediate updates if needed. This approach follows similar measures introduced by other package managers like RubyGems, npm, pnpm, and Yarn to reduce the window of exposure to malicious package versions. The feature is included starting in VS Code 1.123.
Potential Impact
The two-hour delay reduces the risk of rapidly propagating malicious or compromised extension updates by providing a short buffer period for detection and response. It limits the window during which a supply chain attack could affect users via automatic extension updates. Trusted publishers are exempt from this delay, ensuring timely updates for widely trusted extensions. There are no known exploits in the wild related to this change, and users can still manually update extensions immediately if necessary.
Mitigation Recommendations
This feature is an official mitigation introduced by Microsoft in VS Code version 1.123. Users should update to this version or later to benefit from the automatic update delay. No additional user action is required to enable the delay if automatic updates are enabled. Users can manually update extensions at any time if immediate updates are needed. Since this is a proactive protective measure, no urgent remediation is necessary beyond updating VS Code to the supported version.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":25,"reasons":["external_link","newsworthy_keywords:supply chain attack","non_newsworthy_keywords:vs","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["supply chain attack"],"foundNonNewsworthy":["vs"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a265eb2e29bf47b50aa5f04
Added to database: 6/8/2026, 6:18:26 AM
Last enriched: 6/8/2026, 6:18:32 AM
Last updated: 6/9/2026, 4:59:26 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.