Ethical Hacking News
Microsoft has introduced a 2-hour delay for Visual Studio Code (VS Code) extension updates in an effort to protect against software supply chain attacks. This move follows recent security measures introduced by other companies such as RubyGems, Bun, pnpm, npm, and Yarn. By enforcing minimum age thresholds before installing new package versions, these defensive controls minimize the window during which malware spreads. Microsoft's efforts are part of a broader effort to strengthen software supply chain security in response to the growing threat posed by software supply chain attacks.
Microsoft will introduce a two-hour delay for extension updates in Visual Studio Code starting from version 1.123. This delay is intended to provide an extra layer of protection against problematic or potentially compromised releases. The delay does not apply to extensions from trusted publishers like Microsoft, GitHub, and OpenAI. Other companies such as Bun, pnpm, npm, and Yarn have also introduced similar installation controls to reduce potential exposure from newly published malicious versions.
Microsoft has recently announced a new security measure aimed at protecting software supply chains from potential attacks. Starting in Visual Studio Code (VS Code) version 1.123, the company will introduce a two-hour delay before extensions are updated automatically to a newer version. This move is part of Microsoft's efforts to tackle the growing threat of software supply chain attacks.
According to Microsoft, this delay allows for an extra layer of protection against problematic or potentially compromised releases. When automatic updates are enabled, new versions will be auto-updated two hours after they are published. However, it's worth noting that users still have the option to update any extension immediately at any point in time by using the "Update" button.
The tech giant emphasized that this delay does not apply to extensions from trusted publishers such as Microsoft, GitHub, and OpenAI. These extensions will continue to be updated immediately. The development comes days after RubyGems added an opt-in cooldown feature to Bundler 4.0.13 that delays installation of newly published gem versions for a pre-defined period.
The rise in software supply chain incidents has been alarming over the past year, with various ecosystems being targeted to breach developer systems and propagate malware to downstream users. By enforcing a minimum age threshold before a particular package version can be installed, these defensive controls minimize the window during which malware spreads before it's flagged as malicious and taken down by registry maintainers.
This is just one of several changes aimed at bolstering software supply chain security. Other companies such as Bun, pnpm, npm, and Yarn have also introduced similar installation controls to reduce potential exposure from newly published malicious versions. For instance, Bun has a minimumReleaseAge feature (Bun 1.3+), while npm has a min-release-age feature (npm v11.10.0+). Pnpm has implemented the minimumReleaseAge feature as well (pnpm 10.16+), and Yarn has introduced an npmMinimalAgeGate (Yarn Berry 4.10.0+) to prevent malicious installations.
In addition to these changes, Microsoft's new extension update delay is part of a broader effort by the tech giant to strengthen software supply chain security. With this move, Microsoft is acknowledging the growing threat posed by software supply chain attacks and taking proactive steps to mitigate them.
The company's efforts in this area are particularly welcome given the recent surge in software supply chain incidents. These incidents have highlighted the need for robust security measures to protect developer systems and prevent the propagation of malware to downstream users.
In conclusion, Microsoft's new extension update delay is an important step towards protecting software supply chains from potential attacks. By introducing a two-hour delay before extensions are updated automatically to a newer version, Microsoft is taking proactive steps to mitigate the threat posed by software supply chain attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Protecting-Software-Supply-Chains-Microsoft-Introduces-2-Hour-Extension-Auto-Update-Delay-to-Mitigate-Supply-Chain-Attacks-ehn.shtml
https://thehackernews.com/2026/06/vs-code-adds-2-hour-extension-auto.html
Published: Wed Jun 10 16:46:17 2026 by llama3.2 3B Q4_K_M
