The point: VS Code delays automatic extension updates by two hours to create a detection window for compromised software components.
Microsoft delays automatic updates for VS Code extensions by two hours after publication. The measure is intended to provide time to identify compromised or malicious extensions before they spread through the supply chain.
Microsoft has announced that Visual Studio Code will in future introduce a two-hour delay for automatic updates to IDE extensions. When automatic updates are enabled, new versions will only be installed two hours after their release.
The goal of this measure is to reduce the risks of supply-chain attacks. The delay creates a time window in which security teams, community members and Microsoft’s own monitoring mechanisms can identify and flag compromised or malicious extensions before they are installed en masse on developer systems.
For CISOs, this means an additional control layer in the management of developer toolchains: the delay enables blocking of suspicious updates before they reach the enterprise environment. Organizations can review notifications about new or modified extensions during these two hours and, if necessary, disable manual releases.
Source: thehackernews.com · Published June 8, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.