Security: minimumReleaseAge setting for mitigating supply chain attacks on extensions

[karlhorky]

In the last years, supply chain attacks have increased dramatically. A few examples in the VS Code extension ecosystem:

• AI-Slop ransomware test sneaks on to VS Code marketplace - BleepingComputer
• Malicious VS Code AI Extensions With 1.5M Installs Found Exfiltrating Code - The Hacker News
• Fake Clawdbot VS Code Extension Installs ScreenConnect RAT - Aikido
• Solidity Devs Targeted Again: Malicious VS Code Extension Drops ScreenConnect RAT - Checkmarx
• VS Code extensions contain trojan-laden image - ReversingLabs
• Malicious VSCode extensions on Microsoft's registry drop infostealers - BleepingComputer
• Malicious VSCode extensions infect Windows with cryptominers - BleepingComputer
• Nx Compromised to Steal Wallets and Credentials - Semgrep
• Supply Chain Risk in VS Code Extension Marketplaces - Wiz
• 3,800 internal repos at GitHub breached via a malicious VS Code extension: why developer devices are the real target

Allow for minimumReleaseAge-style security config from other package managers / updaters, to require a minimum age on VS Code extensions before they are installed (also when installed via CLI, etc) when either:

1. Installing the latest version
2. Updating an extension manually
3. Updating an extension automatically

Default: Also, similar to the pnpm v11 note in Prior Art below, consider making a small delay the default (somewhere between 1 and 3 days), so that there is time for:

1. security scanners such as Socket to find and report malicious extensions
2. VS Code Marketplace and OpenVSX to remove the malicious extensions

Exclude mechanism: There should be a way of excluding certain package names, package name patterns and publishers from the minimumReleaseAge setting, eg. like the pnpm minimumReleaseAgeExclude setting.

Centralized management via enterprise policy: Some users have commented that a centralized management via eg. GPO or MDM would be helpful:

@SherwoodFold in comment 4510110043: Additionally, this setting needs to be manageable by MDM profiles/configs so admins can actually manage their org's exposure.

@HendrikJan opened a similar issue #272765 which collected 12 upvotes. It was marked as a duplicate of #79689, but #79689 is not related to security (and is closed).

Prior Art

• JavaScript / TypeScript package managers
  • npm min-release-age
  • Yarn npmMinimalAgeGate
  • pnpm minimumReleaseAge
  • Bun minimumReleaseAge
  • Deno --minimum-dependency-age
• CI update bots / update tools
  • Dependabot cooldown
  • Renovate minimumReleaseAge
  • Snyk automatic dependency upgrade PR 21-day cooldown
  • npm-check-updates --cooldown
• Other package managers
  • pip --uploaded-prior-to
  • uv exclude-newer
  • Haskell Cabal --index-state (only absolute timestamps)
  • R / Posit Package Manager snapshot identifiers (only absolute dates)

A lot of these have appeared lately because of the supply chain attacks over the last years.

Default: pnpm v11 recently changed the default to 1-day minimumReleaseAge without any configuration:

Supply-chain protection on by default. minimumReleaseAge defaults to 1440 (1 day)

Source: https://pnpm.io/blog/releases/11.0

[barthuijgen]

Here because I got infected by the recently compromised nx console extension https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html

This is not acceptable, there is no defense against this, just having vscode open leaves you vulnerable at this point.

[lmt-swallow]

Big +1 for this. I don't want to blame anyone for today's GitHub incident - but the community should have this kind of configuration to protect themselves.

Note that we also need a way to temporarily bypass the age constraint for a specific extension. Other ecosystems don't really have a good solution for this yet, and it remains an ongoing concern when an urgent security patch or critical hotfix is released.

[karlhorky]

Note that we also need a way to temporarily bypass the age constraint for a specific extension. Other ecosystems don't really have a good solution for this yet, and it remains an ongoing concern when an urgent security patch or critical hotfix is released.

This is in the original PR description, and community does have some features for this, eg. pnpm has minimumReleaseAgeExclude:

Exclude mechanism: There should be a way of excluding certain package names, package name patterns and publishers from the minimumReleaseAge setting, eg. like the pnpm minimumReleaseAgeExclude setting.

[lisonge]

After the attack on GitHub due to a malicious VSCode extension (which was quickly discovered and removed), there should be no reason to reject this feature request, right?

[IvMisticos]

Just another +1

[karlhorky]

After the attack on GitHub due to a malicious VSCode extension (which was quickly discovered and removed), there should be no reason to reject this feature request, right?

Let's hope so!

I'm guessing @sandy081 and/or @isidorn will reply here soon.

[daaain]

I was reading about the Github compromise in this blog post and found it shocking that the company whose blog it is on charges £275/month for the device protection that implements this instead of it being part of VS Code itself. They obviously offer a more sophisticated protection, but this super simple minimum age setting would solve most extension compromises.

As for the minimumReleaseAgeExclude setting, what would be even better is the ability to opt in to a particular version of an extension, so future updates wouldn't get excluded from the rule.

[karlhorky]

As for the minimumReleaseAgeExclude setting, what would be even better is the ability to opt in to a particular version of an extension, so future updates wouldn't get excluded from the rule.

Excluding specific versions is supported in pnpm minimumReleaseAgeExclude - scroll down for the example:

minimumReleaseAgeExclude:
- nx@21.6.5
- webpack@4.47.0 || 5.102.1