💻 AppSec

VS Code Adds Two-Hour Extension Auto-Update Delay to Reduce Supply Chain Attack Window

Microsoft has released VS Code 1.101 with a configurable two-hour delay on automatic extension updates. The change is a direct response to supply chain attacks in which malicious updates were pushed to popular extensions, executing on developer machines within minutes of publication. The delay gives security teams a detection window before malicious updates execute across the developer fleet.

4 min read
#vscode#supply-chain#extension-security#developer-tools#microsoft#update-delay#ci-cd#devops-security

Microsoft has released VS Code 1.101 with a two-hour configurable delay on automatic extension updates, addressing a structural vulnerability in the VS Code extension ecosystem that has been exploited in multiple developer workstation supply chain attacks. When enabled, the delay holds incoming extension updates for two hours before applying them — providing a detection window for security monitoring before code from an extension update executes on developer machines.

The feature is configurable at the user level (extensions.autoUpdateDelay: 120) and enforceable enterprise-wide through VS Code policy settings (policies.json).

Why the Delay Matters

The VS Code extension Marketplace has been the target of multiple supply chain attacks in 2024–2026. The attack pattern is consistent: a legitimate, widely used extension is either compromised (attacker gains access to the publisher’s account) or cloned (a malicious extension with a confusingly similar name is published). A malicious update is pushed to the Marketplace. VS Code clients with automatic updates enabled download and execute the malicious extension code within minutes of publication — before any security review, before Marketplace scanning completes, and before the security community has time to identify and warn about the malicious update.

The two-hour delay does not prevent supply chain attacks through extensions, but it changes the economics:

  • Extension updates do not execute immediately across the developer fleet
  • Two hours of delay provides time for automated Marketplace scanning to flag the malicious update
  • Security teams monitoring the Marketplace or threat intelligence feeds have a window to identify the malicious update and push a policy to block it before it executes
  • In the event of a malicious update, the rollback window means only developers who have been online for less than two hours since the update was published will execute the malicious code (if the security team identifies and blocks it quickly)

Configuration

User configuration (settings.json):

{
  "extensions.autoUpdate": true,
  "extensions.autoUpdateDelay": 120
}

Enterprise policy enforcement (policies.json for managed VS Code deployments):

{
  "ExtensionAutoUpdateDelay": 120
}

The policy can be distributed via Group Policy (for Windows domain-joined developer machines) or via MDM policies for macOS endpoints. For developers using VS Code through GitHub Codespaces or remote development containers, the policy applies to the VS Code client, not the container.

Disable auto-update entirely (maximum control, reduced convenience):

{
  "extensions.autoUpdate": false
}

This requires developers to manually approve each extension update — maximum security, but operationally burdensome for development teams with many extensions.

What the Delay Does Not Address

The two-hour delay mitigates the “fast-execution” attack pattern but does not address:

Pre-installed malicious extensions: Extensions already installed before the delay feature was enabled remain on the developer machine. An extension that has been malicious from initial publication is not affected by the update delay.

Marketplace review limitations: The VS Code Marketplace performs automated scanning of published extensions, but sophisticated malicious extensions can evade automated scanning. Microsoft’s security team performs additional review, but this review happens at publication, not at update time.

First-installation risk: New extension installations are not subject to the delay — only auto-updates. An employee installing a newly published malicious extension does so immediately.

Curated extension allow-listing (separate control): The most robust enterprise extension security control is an allow-list of approved extensions that developers may install. VS Code supports extension allow-listing through the extensions.allowedExtensionIDs policy. This is operationally heavier to maintain but eliminates the risk from unapproved extensions entirely.

For enterprise VS Code deployments:

  1. Enable ExtensionAutoUpdateDelay: 120 via policy for all developer endpoints
  2. Subscribe to VS Code Marketplace security notifications and the VS Code GitHub security advisories
  3. Consider implementing an allow-list of approved extensions for high-security development environments (production infrastructure tooling, security research, customer data handling)
  4. Review installed extensions across the developer fleet quarterly — identify extensions that have not been updated in 12+ months (potentially abandoned, reduced security review) or that have significantly increased requested permissions in recent updates

Share this article