VS Code Adds 2-Hour Extension Update Delay to Limit Supply Chain Attack Window
June 9, 2026
Microsoft now delays VS Code extension updates by two hours for non-trusted publishers, giving time to detect malicious package versions before they reach developer machines. Trusted publishers including Microsoft, GitHub, and OpenAI are exempt from the delay.
HOW THIS AFFECTS YOU
●
builderThe two-hour window reduces but doesn't eliminate supply chain risk from compromised extension accounts — verify publisher trust status for extensions in your team's standard environment.