VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks

Microsoft has announced that Visual Studio Code (VS Code) will apply a two-hour delay before extensions for the integrated development environment (IDE) are updated automatically to a newer version in an attempt to tackle software supply chain threats. "When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection

The article reports that Microsoft is adding a 2‑hour delay before Visual Studio Code extensions are auto‑updated, aiming to reduce the impact of malicious or compromised releases in the broader software supply chain. This control is intended to give Microsoft and the community a window to detect and respond to suspicious updates before they propagate widely. From a CyberSE.AI perspective, this change is a supply chain risk‑mitigation measure that slightly reduces blast radius but does not eliminate risks such as extension account takeovers, malicious updates, or vulnerabilities in VS Code and compatible AI‑centric IDEs (e.g., Cursor, Windsurf) that share the same extension ecosystem.[2] Organizations using AI‑assisted development environments should still maintain robust SBOM practices, extension allowlists, and monitoring for anomalous IDE/extension behavior as part of a comprehensive AI supply chain security program.