Microsoft has introduced a new security control in Visual Studio Code designed to reduce the risk of software supply chain attacks by delaying automatic updates for extensions. The company confirmed that VS Code will now apply a two hour delay before newly published extension versions are automatically installed when auto update settings are enabled. The change is aimed at providing an additional safety window to identify and block potentially compromised or problematic releases before they reach developer environments. The update is included starting from VS Code version 1.123 and represents a broader effort to strengthen trust in extension distribution channels that are frequently targeted in supply chain attacks.
According to Microsoft, the two hour delay applies only to automatic updates and does not prevent users from manually updating extensions at any time. Developers can still install the latest version immediately by using the update option within the interface. When an extension update is pending due to the delay, VS Code will display information explaining why the update has not yet been applied, along with the expected time when it will be installed. This approach aims to balance security with usability by ensuring that developers are informed while still maintaining access to urgent fixes when required. The company also clarified that the delay mechanism is designed to reduce exposure to malicious or faulty updates that may be discovered shortly after release.
Microsoft further stated that the delay rule does not apply to extensions published by trusted providers such as Microsoft, GitHub, and OpenAI. Extensions from these publishers will continue to receive immediate updates without any waiting period. This exception reflects a trust based model where verified publishers are treated differently due to their established security practices and review processes. The company did not indicate any impact on extension functionality, and the change is intended to operate silently in the background while improving protection against compromised packages entering developer systems during early release windows.
The introduction of this feature comes amid a broader industry shift toward strengthening defenses against software supply chain attacks, which have increasingly targeted development ecosystems. Similar protective mechanisms have recently been adopted across multiple package management systems. RubyGems introduced an opt in cooldown feature in Bundler version 4.0.13 that delays installation of newly published gem versions for a predefined period. This control allows developers to avoid immediate exposure to potentially malicious packages that may be taken down shortly after release. Comparable safeguards have also been implemented across major JavaScript and package ecosystems, including Bun with minimumReleaseAge in version 1.3 and above, npm with min release age in version 11.10.0 and later, pnpm with minimumReleaseAge in version 10.16 and above, and Yarn with npmMinimalAgeGate in Berry 4.10.0 and later. These measures collectively reflect a growing industry response to attacks targeting developer tools and package registries.
Security researchers have observed a rise in incidents where threat actors attempt to compromise developer workflows by injecting malicious code into widely used packages or extensions, which then propagate downstream to end users. By introducing a minimum age threshold before installation or update, these defensive mechanisms aim to limit the speed at which malicious versions can spread through ecosystems. This delay provides security teams and registry maintainers additional time to detect suspicious activity, remove harmful packages, and prevent widespread compromise. Microsoft’s implementation in VS Code aligns with this broader strategy of slowing down automated distribution channels just enough to reduce the impact of fast moving supply chain threats while preserving the flexibility developers expect from modern tooling environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
