VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
The Hacker NewsArchived Jun 08, 2026✓ Full text saved
Microsoft has announced that Visual Studio Code (VS Code) will apply a two-hour delay before extensions for the integrated development environment (IDE) are updated automatically to a newer version in an attempt to tackle software supply chain threats. "When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection
Full text archived locally
✦ AI Summary· Claude Sonnet
VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Ravie LakshmananJun 08, 2026Software Supply Chain / Malware
Microsoft has announced that Visual Studio Code (VS Code) will apply a two-hour delay before extensions for the integrated development environment (IDE) are updated automatically to a newer version in an attempt to tackle software supply chain threats.
"When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection against problematic or potentially compromised releases," Microsoft said.
The new feature is available starting in VS Code 1.123.
The tech giant noted that users still have the option to update any extension immediately at any point in time by using the "Update" button. When extensions have pending updates, a reason for why they haven't been updated yet will be available in the details view, along with when the automatic update will take place.
That said, this two-hour delay does not apply to extensions from trusted publishers such as Microsoft, GitHub, and OpenAI, it added. Extensions from such publishers will continue to be updated immediately.
The development comes days after RubyGems added an opt-in cooldown feature to Bundler 4.0.13 that delays installation of newly published gem versions for a pre-defined period.
Specifically, the feature allows developers to configure Bundler to introduce a time-based install delay with an aim to reduce potential exposure arising from newly published malicious versions.
Over the past year, similar installation controls have also been added to Bun, pnpm, npm, and Yarn -
Bun - minimumReleaseAge (Bun 1.3+)
npm - min-release-age (npm v11.10.0+)
pnpm - minimumReleaseAge (pnpm 10.16+)
Yarn - npmMinimalAgeGate (Yarn Berry 4.10.0+)
These changes arrive against the backdrop of a surge in software supply chain incidents targeting various ecosystems to breach developer systems and propagate malware to downstream users.
Before enforcing a minimum age threshold before a particular package version can be installed, the defensive control minimizes the window during which it spreads before it's flagged as malicious and taken down by the registry maintainers.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Bundler, Microsoft, NPM, Package Management, pnpm, RubyGems, Software Supply Chain, Visual Studio Code, Yarn
⚡ Top Stories This Week
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
Load More ▼
⭐ Featured Resources
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report