VS Code Delays Extension Updates to Block Supply Chain Attacks

Robert Moore · 2026-06-08

Microsoft just dropped a quiet but important change to Visual Studio Code. Starting now, VS Code will wait two hours before automatically updating any extension to a newer version. That two-hour gap is designed to catch bad updates before they hit your machine. Software supply chain attacks have been on the rise. Hackers compromise a legitimate extension, push a malicious update, and boom — thousands of developers get infected. By adding this delay, Microsoft gives the community a window to spot trouble before it spreads. ### Why Two Hours Matters Think of it like a safety buffer. When an extension publisher releases a new version, VS Code won't install it immediately. Instead, it waits 120 minutes. During that time, security researchers and users can report issues. If something looks fishy, the extension can be pulled or flagged before it reaches most people. This isn't a silver bullet, but it's a smart layer of defense. It won't stop every attack, but it makes mass exploitation harder. For developers working in high-stakes environments, that two-hour window could be the difference between a minor scare and a full-blown breach.  ### What This Means for You If you rely on VS Code extensions for your daily work, here's what changes: - Automatic updates now have a built-in delay - You can still manually update extensions anytime - The delay only applies when auto-update is enabled - No change to how extensions are installed or managed This move aligns with broader industry trends. Other tools like npm and PyPI have introduced similar delays or review periods. Microsoft is playing catch-up, but it's a welcome shift. ### The Bigger Picture Supply chain attacks aren't going away. They're getting smarter. By slowing down the update pipeline, VS Code gives defenders a fighting chance. It's a small inconvenience for a big security gain. For antidetect browser professionals, this is a reminder to audit your tools regularly. Even trusted extensions can turn rogue. Stay updated, but stay cautious. ### Final Thoughts Microsoft's two-hour delay is a practical step. It won't solve every problem, but it buys time. And in security, time is everything. Keep your extensions updated, but let the two-hour window do its job. Your workflow will thank you.