Summary
Key Points:
- Microsoft has introduced a two-hour delay for automatic updates of extensions in Visual Studio Code to mitigate software supply chain attacks.
- This delay applies to non-trusted publishers, allowing time for potential malicious updates to be identified before installation, thereby protecting users from compromised releases.
- Users can still manually update extensions immediately if needed, and similar features have been implemented in other package managers like Bundler, npm, and Yarn.
Technical Details: The new feature is part of VS Code version 1.123 and aims to reduce the risk of installing malicious extensions by introducing a time-based delay before automatic updates occur.
MITRE ATT&CK Techniques: None mentioned
IOCs Mentioned: None mentioned
Join the discussion — sign up to comment, upvote, and save articles.