VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/06/vs-code-adds-2-hour-extension-auto.html

ONE SENTENCE SUMMARY:

VS Code now delays most extension auto-updates by two hours to reduce exposure to newly published supply-chain attacks.

MAIN POINTS:

1. Microsoft introduced a two-hour delay for automatic VS Code extension updates.
2. The change aims to mitigate software supply chain threats from compromised releases.
3. This protection activates when automatic extension updates are enabled.
4. The feature is available beginning with Visual Studio Code version 1.123.
5. Users can still manually install updates immediately via the “Update” button.
6. Extension details show why an update is pending and when it will occur.
7. Trusted publishers’ extensions bypass the delay and update immediately.
8. RubyGems added an opt-in cooldown to Bundler 4.0.13 for delayed gem installs.
9. Bun, npm, pnpm, and Yarn added minimum-release-age controls with specific settings.
10. Minimum-age thresholds reduce the spread window before malicious packages are detected and removed.

TAKEAWAYS:

1. Delayed updates are emerging as a standard defense across developer ecosystems.
2. A short cooldown can meaningfully limit exposure to fast-moving malicious releases.
3. Manual update options preserve developer flexibility despite automated delays.
4. Trust-based exceptions prioritize speed for major publishers, but increase reliance on publisher integrity.
5. Supply-chain risk is rising, making proactive installation and update gating increasingly important.