{"uuid": "8022ecd9-db2c-41e8-92e4-449d91ebbb1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48027", "type": "seen", "source": "https://gist.github.com/SyniRon/cdda0394ff4794c6f9936a8dda204208", "content": "# Take control of VS Code updates (without going dark on them)\n\nAuto-updating extensions is a real supply-chain risk: a compromised publisher account or a malicious release can push code straight onto your machine the moment it's published, before anyone has had a chance to notice it's bad.\n\nThis isn't hypothetical. In **[CISA's May 2026 alert](https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories)**, a malicious build of the **Nx Console VS Code extension (v18.95.0, [CVE-2026-48027](https://www.cisa.gov/known-exploited-vulnerabilities-catalog))** was, in CISA's words, *\"distributed through VS Code's automatic update mechanism, meaning systems with Nx Console previously installed may have received the malicious build without developers taking any manual installation action.\"* It was used to exfiltrate internal GitHub repositories. Auto-update was the delivery vehicle.\n\nThe fix is **not** to bury your head and never update. That leaves you on known-vulnerable versions. The right posture is:\n\n> **Don't auto-install. Stay notified. Update deliberately, after a release has had a few days to be vetted.**\n\nThis gist sets VS Code up that way.\n\n## The threat model in one line\n\n- **The editor itself** (VS Code) is signed by Microsoft and ships security patches, so you generally *want* these, just on your terms, not mid-session.\n- **Extensions** are third-party code from the Marketplace. This is where the supply-chain risk lives. Auto-update here means \"run whatever a publisher uploaded, instantly.\" That's the setting to kill.\n\n---\n\n## TL;DR settings\n\nOpen `settings.json` (`Cmd/Ctrl+Shift+P` \u2192 **Preferences: Open User Settings (JSON)**):\n\n```jsonc\n{\n  // --- App: get notified on startup, but never silently install ---\n  \"update.mode\": \"start\",\n\n  // --- Extensions: the important one ---\n  \"extensions.autoUpdate\": false,       // never auto-install extension updates\n  \"extensions.autoCheckUpdates\": true,  // DO check + show the badge so you know they exist\n  \"extensions.showRecommendationsOnlyOnDemand\": false\n}\n```\n\nThe key combination is `autoUpdate: false` + `autoCheckUpdates: true`: nothing installs on its own, but you still see the \"update available\" badge and per-extension **Update** buttons. You decide when.\n\n---\n\n## App updates: notified, not forced\n\n`update.mode` controls the editor itself:\n\n| Value       | Behavior                                                                 | Good for |\n|-------------|--------------------------------------------------------------------------|----------|\n| `\"default\"` | Auto-checks in the background, downloads, prompts to restart.            | Most people |\n| `\"start\"`   | Checks **only on startup**, then notifies. No background nagging.        | **Recommended here** |\n| `\"manual\"`  | No checks at all; you must run *Check for Updates* yourself.             | Fully air-gapped habits |\n| `\"none\"`    | Disables updates entirely.                                               | Not recommended |\n\n`\"start\"` is the sweet spot: you learn an update exists when you open VS Code, but it never installs without you clicking **Restart to Update**. Because the editor is Microsoft-signed, it's reasonable to apply these fairly promptly, since they're often security fixes.\n\nManual check anytime: **Code \u2192 Check for Updates\u2026** (macOS) / **Help \u2192 Check for Updates\u2026** (Win/Linux).\n\n---\n\n## Extension updates: the part that matters\n\nTwo settings work together:\n\n- **`extensions.autoUpdate: false`**: extensions never update themselves. *This is the security control.*\n- **`extensions.autoCheckUpdates: true`**: VS Code still checks and flags outdated extensions, so you're not flying blind.\n\nResult: the Extensions icon shows an update badge, and each outdated extension gets an **Update** button, but **nothing runs until you click it.**\n\n### Same thing via the UI\n\n1. Open **Extensions** (`Cmd/Ctrl+Shift+X`).\n2. Click the **`...`** (Views and More Actions) menu at the top.\n3. Turn **Auto Update Extensions** off.\n\n### Pin critical extensions to a known-good version\n\nFor anything sensitive (linters, formatters, anything that runs on save, anything with broad filesystem/network access), lock the exact version:\n\n- Right-click the extension \u2192 **Install Another Version\u2026** \u2192 pick a version you trust.\n\nIt stays on that version even when an update appears, until you deliberately move it.\n\n---\n\n## A 30-second checklist before you click Update\n\nThis is where the actual safety comes from. When you see an update available:\n\n1. **Let it bake.** Don't update the moment a release drops. That's exactly when a poisoned build does its damage. CISA's floor for packages is *at least 3 hours*; for extensions you lose almost nothing by waiting days, which is plenty of time for a malicious release to be caught and pulled.\n2. **Check the changelog / release notes.** Unexplained version jumps or a vague \"bug fixes\" on a big version bump is a yellow flag.\n3. **Confirm the publisher is unchanged and verified.** A new or changed publisher on an established extension is a red flag; publisher-account compromise is a common vector.\n4. **Glance at the Marketplace page.** Recent reviews and the issue tracker often surface \"this update broke / looks sketchy\" fast.\n5. **Prefer batching.** Review and apply updates on a schedule (e.g. weekly), not reflexively per popup.\n\n> These mirror CISA's package-repo guidance from the same alert: **wait before pulling a new release, pin to trusted versions, and only install from sources you trust.**\n\n---\n\n## Verify it stuck\n\nReload the window (`Cmd/Ctrl+Shift+P` \u2192 **Developer: Reload Window**), reopen Settings, and confirm the values. You should still see update badges (that's intended), but nothing should install without your click.\n\n---\n\n### Quick reference\n\n```jsonc\n{\n  \"update.mode\": \"start\",               // notified on startup, manual install\n  \"extensions.autoUpdate\": false,       // no auto-install of extensions\n  \"extensions.autoCheckUpdates\": true   // but DO tell me updates exist\n}\n```\n", "creation_timestamp": "2026-06-03T21:32:05.000000Z"}